Critical RCE Vulnerability Discovered in Protobuf.js Library
Severity: High (Score: 70.5)
Sources: Bleepingcomputer, www.endorlabs.com
Summary
A critical remote code execution (RCE) vulnerability has been identified in protobuf.js, a widely used JavaScript library for Protocol Buffers, affecting millions of applications. Discovered by Endor Labs, the flaw allows attackers to inject malicious code through unsafe dynamic code generation when processing protobuf schemas. The library, which sees nearly 52 million downloads weekly, is integral to many cloud services, including Google Cloud and Firebase. Although no active exploitation has been reported, proof-of-concept (PoC) exploit code has been published, raising concerns about potential attacks. The vulnerability is tracked as GHSA-xq3m-2v4x-88gg and affects versions 8.0.0/7.5.4 and lower. Users are advised to upgrade to versions 8.0.1 and 7.5.5, which include patches to mitigate the risk. Endor Labs emphasizes the importance of treating schema-loading as untrusted input and auditing dependencies. The vulnerability was reported on March 2, and patches were released in early April. Key Points: • A critical RCE vulnerability in protobuf.js affects millions of applications. • Attackers can exploit the flaw by supplying malicious protobuf schemas. • Users are urged to upgrade to patched versions 8.0.1 and 7.5.5 to mitigate risks.