What happened
A critical remote code execution vulnerability has been discovered in protobuf.js, a JavaScript implementation of Google’s Protocol Buffers with nearly 50 million weekly downloads on the npm registry. Tracked as GHSA-xq3m-2v4x-88gg with a CVSS score of 9.4, the flaw was reported by Endor Labs researcher Cristian Staicu on March 2 and has not yet been assigned an official CVE number. The vulnerability stems from unsafe dynamic code generation: the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but fails to validate schema-derived identifiers such as message names. An attacker who can influence the protobuf schema an application loads can inject arbitrary JavaScript that executes with the privileges of the Node.js process. Endor Labs describes exploitation as straightforward and has included a minimal proof-of-concept in its advisory, though no active exploitation in the wild has been observed to date. Patches were released by maintainers on GitHub on March 11, with npm package fixes available from April 4 for the 8.x branch and April 15 for the 7.x branch. The vulnerability affects protobuf.js versions 8.0.0 and 7.5.4 and lower. Patched versions are 8.0.1 and 7.5.5. Endor Labs notes the flaw also has implications for transitive dependencies, including packages pulled in via @grpc/proto-loader, Firebase, and Google Cloud SDKs.
Who is affected
Any application using protobuf.js versions 8.0.0 or 7.5.4 and lower is potentially exposed, including those pulling the library in as a transitive dependency through gRPC, Firebase, or Google Cloud tooling. The attack surface is broader than direct usage alone, given how widely protobuf schemas are reused and shared across organizations via registries such as the Buf Schema Registry and public repositories.
Why CISOs should care
With a public proof-of-concept already available and exploitation described as straightforward, the window before active attacks begin is narrow. The broader concern is the supply chain dimension: protobuf.js is embedded deeply in modern cloud-native and microservices infrastructure, often as a transitive dependency that may not be visible in direct dependency audits. Organizations relying on gRPC services, Firebase, or Google Cloud SDKs may be exposed without knowing they use protobuf.js at all.
3 practical actions
- Identify all protobuf.js instances including transitive dependencies: Run dependency audits using npm ls protobufjs across your codebase and CI pipelines to surface direct and indirect pulls, paying particular attention to packages using @grpc/proto-loader, Firebase, or Google Cloud SDKs.
- Upgrade immediately to patched versions: Update protobuf.js to version 8.0.1 or 7.5.5 depending on your major branch, and verify that transitive dependencies have also been updated to versions referencing the patched release.
- Treat protobuf schema sources as untrusted input: Review any application that loads protobuf schemas from external registries, third-party repositories, or user-supplied sources, and apply validation controls to prevent schema-derived identifiers from reaching the Function() constructor.
For more news about security flaws under active exploitation, click Vulnerability to read more.