CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unsafe dynamic code generation in protobuf.js enables remote code execution via malicious schemas

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical remote code execution vulnerability in protobuf.js, a widely adopted JavaScript implementation of Protocol Buffers used for inter-service communication and structured data handling, has been disclosed. The flaw arises from unsafe dynamic code generation, where the library executes JavaScript functions constructed from untrusted protobuf schemas using the Function() constructor without proper validation of schema-derived identifiers. Attackers can craft malicious schemas containing identifier names that inject arbitrary code, which is executed when the application processes the schema. Successful exploitation allows arbitrary command execution on servers, developer machines, or cloud environments running affected versions, leading to credential theft, database access, and potential lateral movement within infrastructure. The vulnerability impacts protobuf.js versions 8.0.0/7.5.4 and lower, with patches released in 8.0.1, 7.5.5, and subsequent npm updates.

Timeline

  1. 18.04.2026 18:09 1 articles · 3h ago

    Critical RCE vulnerability in protobuf.js disclosed and patched

    A critical remote code execution vulnerability (GHSA-xq3m-2v4x-88gg) in protobuf.js, caused by unsafe dynamic code generation and unvalidated schema identifiers, was disclosed. The flaw enables arbitrary code execution when processing malicious protobuf schemas via the Function() constructor, impacting servers, developer machines, and cloud environments. Affected versions are 8.0.0/7.5.4 and lower. Patches were released on March 11, 2026, with npm package updates deployed April 4 (8.x) and April 15 (7.x), 2026. No active exploitation has been observed, but a proof-of-concept exploit is available.

    Show sources
    Open in new tab

Information Snippets

  • The remote code execution vulnerability (RCE) in protobuf.js is caused by unsafe dynamic code generation, where JavaScript functions are constructed from protobuf schemas and executed via the Function() constructor without validating schema-derived identifiers such as message names.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • Exploitation requires an attacker to supply a malicious protobuf schema that injects arbitrary code into the generated function, which executes when the application processes a message using that schema.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • Affected protobuf.js versions are 8.0.0/7.5.4 and lower. Patches were released in versions 8.0.1 and 7.5.5, with npm package updates deployed on April 4 for the 8.x branch and April 15 for the 7.x branch.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • The vulnerability is tracked as GHSA-xq3m-2v4x-88gg by GitHub and has not received an official CVE number as of April 18, 2026.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • The flaw can impact servers, cloud environments, and developer machines that load and decode untrusted schemas locally, potentially exposing environment variables, credentials, databases, and internal systems to compromise.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • Endor Labs reports that exploitation is straightforward and provides a proof-of-concept exploit in its advisory, though no active exploitation in the wild has been observed to date.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources

  • The vulnerability was reported by researcher Cristian Staicu on March 2, 2026, and patched by protobuf.js maintainers on March 11, 2026.

    First reported: 18.04.2026 18:09
    1 source, 1 article
    Show sources