52M-Download protobuf.js Library Hit by RCE in Schema Handling

A critical RCE vulnerability (CVSS 9.4) was discovered in protobuf.js, a JavaScript library downloaded 52M times monthly. Attackers can inject malicious code through crafted schema names that bypass input validation in the Function constructor. Any application using protobufjs versions 8.0.0 or earlier, or 7.5.4 or earlier, is at risk of remote code execution.

CRITICALAdvisoryApr 20, 2026

Action required

Immediately identify all internal and third-party applications using protobufjs. Upgrade to patched versions (8.0.1+ or 7.5.5+) and scan logs for suspicious schema processing or Function constructor abuse patterns.

Affected products

protobuf.jsgRPCFirebaseGoogleEndor Labs

Linked articles

52M-Download protobuf.js Library Hit by RCE in Schema Handling

Source links

https://hackread.com/52m-download-protobuf-js-library-rce-schema-handle/