A critical remote code execution vulnerability in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers, has been discovered and patched. The flaw allows attackers to execute arbitrary JavaScript code by supplying malicious schemas, potentially compromising servers, applications, and developer machines.
A critical remote code execution vulnerability has been discovered in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers, that could allow attackers to execute arbitrary JavaScript code on affected systems.
The vulnerability, tracked as GHSA-xq3m-2v4x-88gg, affects protobuf.js versions 8.0.0/7.5.4 and lower. According to a report from application security company Endor Labs, the flaw stems from unsafe dynamic code generation within the library.
How the vulnerability works
protobuf.js builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor. However, the library fails to validate schema-derived identifiers, such as message names. This oversight allows an attacker to supply a malicious schema that injects arbitrary code into the generated function.
When an application processes a message using the attacker-influenced schema, the injected code executes, potentially granting the attacker access to environment variables, credentials, databases, and internal systems. The vulnerability could even enable lateral movement within the infrastructure.
Scope and impact
The vulnerability is particularly concerning given protobuf.js's popularity. The library averages nearly 50 million weekly downloads on the Node Package Manager (npm) registry and is used extensively for inter-service communication, real-time applications, and efficient storage of structured data in databases and cloud environments.
Beyond servers and applications, the attack could also affect developer machines if they load and decode untrusted schemas locally.
Patching and mitigation
The vulnerability was reported by Endor Labs researcher and security bug bounty hunter Cristian Staicu on March 2. The protobuf.js maintainers released a patch on GitHub on March 11, with fixes to the npm packages becoming available on April 4 for the 8.x branch and April 15 for the 7.x branch.
Endor Labs recommends upgrading to versions 8.0.1 and 7.5.5, which address the issue. The patch sanitizes type names by stripping non-alphanumeric characters, preventing attackers from closing the synthetic function.
However, Endor Labs notes that a longer-term fix would be to stop round-tripping attacker-reachable identifiers through Function() altogether.
Additional security measures
Beyond upgrading to patched versions, Endor Labs recommends several additional security measures:
- Audit transitive dependencies to identify vulnerable components
- Treat schema-loading as untrusted input
- Prefer precompiled or static schemas in production environments
Current threat landscape
While Endor Labs warns that "exploitation is straightforward" and has published a minimal proof-of-concept (PoC) in their security advisory, no active exploitation in the wild has been observed to date.
This vulnerability joins a growing list of critical security flaws affecting widely used software components. Recent examples include emergency fixes for Adobe Acrobat and Reader zero-day flaws, active exploitation of a critical Marimo pre-auth RCE flaw, and attacks exploiting a critical Fortinet Forticlient EMS flaw.
For organizations using protobuf.js, immediate action is recommended to upgrade to the patched versions and implement the suggested security measures to protect against potential exploitation of this critical vulnerability.
Comments
Please log in or register to join the discussion