A critical remote code execution vulnerability (GHSA-xq3m-2v4x-88gg) has been disclosed in protobuf.js, a JavaScript Protocol Buffers library with ~50 million weekly npm downloads. The flaw stems from unsafe dynamic code generation: the library builds JavaScript functions from protobuf schemas via string concatenation and the Function() constructor without validating schema-derived identifiers like message names. An attacker can supply a malicious schema to inject and execute arbitrary code, potentially gaining access to credentials, databases, and internal systems. Affected versions are 8.0.0/7.5.4 and below; patched versions 8.0.1 and 7.5.5 are available. A PoC exploit has been published, though no active exploitation in the wild has been observed. Mitigations include upgrading, auditing transitive dependencies, treating schema-loading as untrusted input, and using precompiled static schemas.
Table of contents
Related Articles:1 Comment
Sort: