A critical remote code execution vulnerability in the widely used protobuf.js library enables attackers to execute arbitrary JavaScript by supplying malicious Protocol Buffer schemas. The flaw stems from unsafe dynamic code generation where the library concatenates strings and uses the Function() constructor without properly validating schema-derived identifiers. An attacker can inject code into generated functions that executes when an application processes a message using the compromised schema.
The issue affects protobuf.js versions 8.0.0 and 7.5.4 and lower, which collectively average nearly 50 million weekly npm downloads. Exploitation could grant access to environment variables, credentials, databases, and internal systems, potentially enabling lateral movement within infrastructure. Developer machines loading untrusted schemas locally are also at risk.
The vulnerability has been assigned GitHub identifier GHSA-xq3m-2v4x-88gg but no official CVE yet. Patches were released in versions 8.0.1 and 7.5.5, which sanitize type names by stripping non-alphanumeric characters. Proof-of-concept exploit code is publicly available, though no active in-the-wild exploitation has been observed. Administrators are advised to audit transitive dependencies, treat schema-loading as untrusted input, and prefer precompiled static schemas in production environments.
Read more...