Critical flaw in Protobuf library enables JavaScript code execution

Published:

18 april 2026 om 15:09:44

Alert date:

18 april 2026 om 16:00:44

Source:

bleepingcomputer.com

Web Technologies, Supply Chain & Dependencies, Zero-Day Vulnerabilities

A critical remote code execution vulnerability has been discovered in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. Proof-of-concept exploit code has been published for this flaw, making it actively exploitable. The vulnerability enables JavaScript code execution and affects many applications that rely on this popular library for protocol buffer handling. Given the widespread use of protobuf.js in web applications and the availability of exploit code, this represents a significant security risk requiring immediate attention and patching.

Technical details

The vulnerability is caused by unsafe dynamic code generation in protobuf.js. The library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but fails to validate schema-derived identifiers such as message names. This allows attackers to supply malicious schemas that inject arbitrary code into the generated function, which is executed when the application processes a message using that schema. The flaw enables remote code execution on servers or applications that load attacker-influenced schemas.

Mitigation steps:

Upgrade to protobuf.js version 8.0.1 or 7.5.5 which address the issue. Audit transitive dependencies, treat schema-loading as untrusted input, and prefer precompiled/static schemas in production.

Affected products:

protobuf.js versions 8.0.0 and lower
protobuf.js versions 7.5.4 and lower