A critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google’s Protocol Buffers, has a published proof-of-concept exploit and affects versions 8.0.0 and 7.5.4 and earlier, according to a technical analysis by Endor Labs.
KEY FACTS
- Issue Unsafe dynamic code generation can let malicious schema data inject arbitrary JavaScript.
- Impact Attackers could run code on servers, applications, or developer machines that process untrusted schemas.
- Status The flaw is tracked as GHSA-xq3m-2v4x-88gg and does not yet have an official CVE number.
- Fix Patched releases are 8.0.1 and 7.5.5.
The library is widely used in the npm registry, with an average of nearly 50 million weekly downloads. It is used for inter-service communication, real-time applications, and structured data storage in databases and cloud environments.
The report says the problem stems from the way the library builds JavaScript functions from protobuf schemas. It concatenates strings and passes them to the Function() constructor, but it does not properly validate schema-derived identifiers such as message names.
That means an attacker who can supply a malicious schema may be able to inject code into the generated function. The report says the code can then run when the application processes a message using that schema, which could expose environment variables, credentials, databases, and internal systems.
The vulnerability was reported on March 2, a patch was released on GitHub on March 11, and npm fixes followed on April 4 for the 8.x branch and April 15 for the 7.x branch. Endor Labs said exploitation is straightforward, but no active exploitation in the wild has been observed.
Endor Labs also recommends auditing transitive dependencies, treating schema loading as untrusted input, and preferring precompiled or static schemas in production.
WHY IT MATTERS
The flaw affects software that relies on protobuf.js to handle external or attacker-influenced schemas, including some server and developer environments. Updating to the patched versions and limiting trust in schema input can reduce the risk of code execution.