Protobuf.js unsafe dynamic code generation RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
A proof-of-concept exploit is now public for a critical RCE flaw in protobuf.js, putting versions 8.0.0/7.5.4 and lower at risk of code execution. The weakness comes from unsafe dynamic code generation through `Function()`, which can let malicious schemas inject arbitrary code when an application processes protobuf data. Although no in-the-wild exploitation has been observed, the issue can expose credentials, databases, and internal systems, and users should upgrade to 8.0.1 or 7.5.5.
Related Happenings
Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)
Vulnerability
First: 27.01.2026 18:35
Last: 27.01.2026 18:35
Sources 1
About this happening:
**vm2 Node.js sandbox library** has a critical **CVE-2026-22709** sandbox-escape flaw that can let untrusted JavaScript break out and run **arbitrary code** on the host. The weakn...
Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)
VulnerabilityAbout this happening: **vm2 Node.js sandbox library** has a critical **CVE-2026-22709** sandbox-escape flaw that can let untrusted JavaScript break out and run **arbitrary code** on the host. The weakn...
Timeline
-
18.04.2026 18:09 1 articles · 1mo ago
protobuf.js RCE vulnerability reported
Initial DisclosureEndor Labs researcher and security bug bounty hunter Cristian Staicu reports a remote code execution flaw in protobuf.js, identifying unsafe dynamic code generation as the root cause in the JavaScript Protocol Buffers implementation.
Show sources
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09
-
18.04.2026 18:09 1 articles · 1mo ago
protobuf.js patch lands on GitHub
Mitigation Patch UpdateThe protobuf.js maintainers release a GitHub patch that sanitizes type names by stripping non-alphanumeric characters, preventing attacker-controlled schema identifiers from closing the synthetic function used for code generation.
Show sources
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09
-
18.04.2026 18:09 1 articles · 1mo ago
protobuf.js 8.x npm fixes become available
Mitigation Patch UpdateFixes for the protobuf.js 8.x branch become available in the npm packages, providing the patched 8.0.1 line for affected installations that load attacker-influenced protobuf schemas.
Show sources
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09
-
18.04.2026 18:09 1 articles · 1mo ago
protobuf.js 7.x npm fixes become available
Mitigation Patch UpdateFixes for the protobuf.js 7.x branch become available in the npm packages, providing the patched 7.5.5 line for affected installations that load attacker-influenced protobuf schemas.
Show sources
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09
-
18.04.2026 18:09 2 articles · 1mo ago
Public PoC and exploit analysis for protobuf.js
Technical Analysis UpdateEndor Labs says proof-of-concept exploit code is public for protobuf.js GHSA-xq3m-2v4x-88gg, where unsafe dynamic code generation through `Function()` can let a malicious schema inject arbitrary code, expose environment variables, credentials, databases, and internal systems, and potentially enable lateral movement; no active exploitation in the wild has been observed.
Show sources
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09
- Critical flaw in Protobuf library enables JavaScript code execution — www.bleepingcomputer.com — 18.04.2026 18:09