Critical Vulnerability Found in Protobuf.js Library Affects 52 Million Downloads
Critical Remote Code Execution Flaw Discovered in Protobuf.js Library
A critical remote code execution (RCE) vulnerability has been discovered in the widely used protobuf.js library, a JavaScript library that enables developers to work with protocol buffers.
“The flaw, assigned a high CVSS score of 9.4, allows attackers to execute code via malicious schemas.” – Source: Vulnerability Report
The Vulnerability Details
The vulnerability, tracked as GHSA-xq3m-2v4x-88gg, resides in the Type.generateConstructor function, which builds JavaScript dynamically using the Function constructor.
- The library fails to properly filter names found in a data file, allowing hackers to craft a malicious .proto or JSON file containing a hidden, executable command.
- By inserting a specific string of JavaScript into a type name, a threat actor can force the system to run a payload.
- Code execution can occur even when an application loads and processes a malicious schema, potentially happening without direct user interaction in automated or server-side workflows.
Risk Assessment
Systems built on tools such as gRPC or Firebase that rely on protobuf.js and accept untrusted schema input are at risk.
- Applications that use predefined or trusted schemas are not exposed to this risk, including gRPC reflection services or multi-tenant platforms where users upload their own data definitions.
- If a hacker influences the schema, they can achieve full RCE and exfiltrate credentials or move through internal networks.
Patch Release
A fix was released in April 2026, consisting of a single line of code: jsname = name.replace(/\\W/g, "\");
Organizations should promptly audit their systems and update to protobuf.js version 8.0.1 or 7.5.5 to close this gap, as exploitation is considered trivial once a poisoned file is in memory.
About Author
English