Critical flaw in Protobuf library enables JavaScript code execution
Source: Bleeping Computer
Overview
Proof‑of‑concept exploit code has been published for a critical remote code execution (RCE) flaw in protobuf.js, a widely used JavaScript implementation of Google’s Protocol Buffers. The library is highly popular in the npm registry, with an average of nearly 50 million weekly downloads (npmjs.com/package/protobufjs). It is used for inter‑service communication, real‑time applications, and efficient storage of structured data in databases and cloud environments.
Vulnerability Details
Application security company Endor Labs reported that the RCE vulnerability is caused by unsafe dynamic code generation. The library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but it fails to validate schema‑derived identifiers (e.g., message names). An attacker can supply a malicious schema that injects arbitrary code into the generated function, which is then executed when the application processes a message using that schema.
The issue is tracked as GHSA‑xq3m‑2v4x‑88gg (no official CVE assigned yet).
Impact
- Remote code execution on servers or applications that load attacker‑influenced schemas.
- Potential access to environment variables, credentials, databases, and internal systems.
- Possibility of lateral movement within the infrastructure.
- Threat to developer machines that decode untrusted schemas locally.
Affected Versions and Fixes
- Affected: protobuf.js versions 8.0.0, 7.5.4, and lower.
- Patched: versions 8.0.1 and 7.5.5.
The patch sanitizes type names by stripping non‑alphanumeric characters, preventing the attacker from closing the synthetic function. Endor Labs notes that a longer‑term fix would be to avoid using Function() for attacker‑reachable identifiers altogether.
Mitigation Recommendations
- Upgrade to the patched versions (8.0.1 / 7.5.5).
- Audit transitive dependencies to ensure no vulnerable versions are pulled in.
- Treat schema loading as untrusted input and prefer pre‑compiled or static schemas in production environments.
- Monitor for any signs of exploitation, although no active exploitation in the wild has been observed to date.