The flaw enables attackers to inject and execute arbitrary code through a malicious schema, potentially compromising servers, environment variables, credentials, databases, and internal systems, and allowing lateral movement.

The initial report came in early March from Endor Labs’ Cristian Staicu, with a public advisory and a patch released the following week; guidance stressed validating schemas and hardening deployments.

The attack works when an application processes a message using the tainted schema, as the generated function runs code crafted from the schema.

A remote code execution vulnerability affects protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers with about 50 million weekly downloads.

The root cause is unsafe dynamic code generation, where the library concatenates strings and uses the Function() constructor to build JavaScript functions from protobuf schemas without validating identifiers.

Mitigations include upgrading to patched versions, auditing transitive dependencies, treating schema loading as untrusted input, and preferring precompiled or static schemas in production.

Exploitation is reportedly straightforward, though no active real-world attacks had been observed at the time of reporting.

The advisory GHSA-xq3m-2v4x-88gg was assigned by GitHub, with Endor Labs providing the advisory and remediation guidance.

Patches were released on GitHub on March 11, with npm fixes following on April 4 for the 8.x branch and April 15 for the 7.x branch.

The vulnerability affects protobuf.js versions 8.0.0, 7.5.4 and earlier; users should upgrade to 8.0.1 or 7.5.5 to mitigate.