52M-Download protobuf.js Library Hit by RCE in Schema Handling

Summary

Endor Labs discovered a critical remote code execution (RCE) vulnerability (GHSA-xq3m-2v4x-88gg, CVSS 9.4) in protobuf.js, a widely-used JavaScript library that processes Protocol Buffer schemas. The flaw stems from unsafe use of the Function constructor to dynamically generate code without filtering malicious input in schema names, allowing attackers to inject executable JavaScript. Affected versions are protobufjs 8.0.0 and earlier, and 7.5.4 and earlier; a patch was released in April 2026 via a single-line fix that sanitizes type names.

Full text

Security52M-Download protobuf.js Library Hit by RCE in Schema Handling Critical RCE flaw in protobuf.js lets attackers execute code via malicious schemas. Learn who is at risk, affected versions, and how to fix it. byDeeba AhmedApril 20, 20262 minute read Cybersecurity team at Endor Labs has identified a critical remote code execution (RCE) vulnerability in protobuf.js, a JavaScript library downloaded nearly 52 million times per week. This research, shared with Hackread.com, highlights a major security gap in an important tool utilised by Google Cloud, Firebase, and various gRPC services, an open-source framework for fast communication between microservices. The Attack Mechanism The flaw is tracked as GHSA-xq3m-2v4x-88gg and has a high CVSS score of 9.4. According to Endor Labs’ blog post, the library uses a function called Type.generateConstructor to build JavaScript dynamically. This process relies on a feature known as the Function constructor, which operates much like an eval() command by turning text into active, running code. In simple terms, the issue is that the library takes names found in a data file and turns them into part of the computer’s working instructions to speed up tasks. Because the library failed to filter these names, hackers could craft a malicious .proto or JSON file where a “name” is actually a hidden, executable command. By placing a specific string of JavaScript into a type name, a threat actor can force the system to run a payload. Further investigation revealed that code execution can occur when an application loads and processes a malicious schema, which may happen without direct user interaction in automated or server-side workflows. Risks to Cloud Infrastructure The issue can affect applications built on tools such as gRPC or Firebase if they rely on protobuf.js and accept untrusted schema input. Systems that use predefined or trusted schemas are not exposed to this risk. This includes gRPC reflection services or multi-tenant platforms where users upload their own data definitions. If a hacker influences the schema, they can achieve full RCE and can exfiltrate credentials or move through internal networks. “This vulnerability is not a supply-chain attack against protobuf.js itself; the package is legitimate and maintained by developers affiliated either now or in the past with Google. It is a vulnerability in how protobuf.js processes the data developers feed it… this class of bugs, dev-tool-as-code-execution-primitive, has an emerging threat model that the ecosystem has been slow to internalize or accept,” researchers explained. Remediation and Timeline Researchers found protobufjs versions 8.0.0 and earlier, and 7.5.4 and earlier, being affected by this flaw. They notified the library maintainers about it on 2 March 2026. The vulnerability was confirmed on 9 March 2026, and a fix was reached the npm registry in April 2026. It is a single line of code: jsname = name.replace(/\W/g, ""); that fixes this issue. (Source: Endor Labs) Affected versions and the one-liner patch (Source: Endor Labs) This removes the symbols hackers need to run their code. Organisations should audit their systems immediately and update to protobuf.js 8.0.1 or 7.5.5 to close this gap. As researchers concluded that “exploitation is trivial” as soon as a poisoned file is in memory, which makes immediate updates a priority. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts cloudCyber AttackCybersecurityNPMprotobufRCE Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Attacks Malware Security South African Power Supplier Hit by DroxiDat Malware Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm… byDeeba Ahmed Read More Security Phishing Scam 99% of UAE’s .ae Domains Exposed to Phishing and Spoofing Only 1.11% of UAE's 37,926 .ae domains have implemented DMARC, leaving most vulnerable to phishing and and spoofing attacks. byWaqas Security Update your devices: New Bluetooth flaw lets attackers monitor traffic The Bluetooth flaw also opens door to a man-in-the-middle attack. The IT security researchers at Israel Institute of Technology have discovered a… byWaqas Security A Brief Walkthrough On CMMS Cybersecurity CMMS platforms can also be compromised like peer software which brings us to our today’s discussion topic of how to prevent cyber attacks. byOwais Sultan

Entities