[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:52m-download-protobuf-js-library-hit-by-rce-in-schema-handling-mo7if6w9":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":18,"article_ids":19,"ioc_summary":21,"source_urls":22,"status":24,"expires_at":25,"created_at":26,"updated_at":27,"articles":28},"4dc97f44-a1ca-42b0-a16f-695db9fc5db9","52M-Download protobuf.js Library Hit by RCE in Schema Handling","52m-download-protobuf-js-library-hit-by-rce-in-schema-handling-mo7if6w9","A critical RCE vulnerability (CVSS 9.4) was discovered in protobuf.js, a JavaScript library downloaded 52M times monthly. Attackers can inject malicious code through crafted schema names that bypass input validation in the Function constructor. Any application using protobufjs versions 8.0.0 or earlier, or 7.5.4 or earlier, is at risk of remote code execution.","critical","advisory",[],[13,14,15,16,17],"protobuf.js","gRPC","Firebase","Google","Endor Labs","Immediately identify all internal and third-party applications using protobufjs. Upgrade to patched versions (8.0.1+ or 7.5.5+) and scan logs for suspicious schema processing or Function constructor abuse patterns.",[20],"4402f742-d9af-4273-8d40-1310e13279c3",null,[23],"https:\u002F\u002Fhackread.com\u002F52m-download-protobuf-js-library-rce-schema-handle\u002F","archived","2026-04-22T18:09:46.561+00:00","2026-04-20T18:09:51.351497+00:00","2026-04-25T14:09:53.96931+00:00",[29],{"id":20,"title":6,"url":23}]