A critical vulnerability has been discovered in the protobuf.js library, a widely used JavaScript tool with nearly 52 million weekly downloads. This flaw, identified by Endor Labs, poses a significant risk to applications utilizing Google Cloud, Firebase, and gRPC services. The vulnerability allows for remote code execution, making it a severe threat to affected systems.
The vulnerability, tracked as GHSA-xq3m-2v4x-88gg, has been assigned a high CVSS score of 9.4. It originates from the library's use of the Type.generateConstructor function, which dynamically builds JavaScript code. This process involves the Function constructor, similar to the eval() command, which can execute text as code. The library's failure to properly filter input names allows attackers to craft malicious .proto or JSON files, embedding executable commands within type names.
The risk is particularly high for applications that accept untrusted schema inputs, such as those using gRPC or Firebase. Systems relying on predefined or trusted schemas are not vulnerable. If an attacker can manipulate the schema, they can achieve full remote code execution, potentially exfiltrating credentials or moving laterally within networks. This vulnerability is not a supply-chain attack on protobuf.js itself but rather an issue with how it processes developer-supplied data.
The affected versions of protobuf.js are 8.0.0 and earlier, and 7.5.4 and earlier. The vulnerability was reported to the library maintainers on March 2, 2026, confirmed on March 9, 2026, and a fix was released in April 2026. The patch involves a simple code change that removes symbols necessary for executing malicious code.
Organizations using protobuf.js should conduct an immediate audit of their systems and update to versions 8.0.1 or 7.5.5 to address this vulnerability. Given the ease of exploitation once a malicious file is loaded, prompt updates are essential to protect against potential attacks.
Source: https://www.endorlabs.com/learn/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg