protobufjs patches schema-driven code generation RCE
TL;DR — A critical protobuf schema injection bug in protobufjs can turn attacker-influenced .proto/descriptor inputs into runtime JavaScript code execution during decode.
What happened
protobufjs is a widely used JavaScript implementation of Google Protocol Buffers, commonly pulled in (often transitively) anywhere Node.js services or tooling need to parse/encode protobuf payloads.
Endor Labs reports a critical remote code execution issue tracked as GHSA-xq3m-2v4x-88gg (CVSS 9.4): protobufjs dynamically generates JavaScript functions from protobuf schemas/descriptors using the Function() constructor, but does not sufficiently validate schema-derived identifiers. A malicious schema/descriptor can inject attacker-controlled JavaScript into the generated source, and the payload executes when the application first processes (e.g., decodes) a message using that definition.
Impact is RCE when an attacker can control the protobuf definition input (schema/descriptor) consumed by a target service or client. Endor Labs highlights this as a realistic precondition in ecosystems that reuse schemas across teams, registries, and integrations.
Why it matters: this is the classic “dynamic codegen + untrusted input = code execution” failure mode, but in a dependency that many platform teams ship indirectly via gRPC/cloud SDK dependency trees.
Who is impacted
- Any application or toolchain that uses
protobufjsand loads protobuf schemas/descriptors from sources outside its trust boundary (shared registries, partner-provided schemas, third-party servers, or other attacker-influenced distribution paths). - Projects with
protobufjspresent as a transitive dependency (Endor Labs calls out common pull paths like@grpc/proto-loader, Firebase, and Google Cloud SDKs).
| Component | Affected versions (per advisory/research) | Patched versions (per advisory/research) |
|---|---|---|
protobufjs (8.x line) | <= 8.0.0 | 8.0.1 |
protobufjs (7.x line) | <= 7.5.4 | 7.5.5 |
What to do now
- Follow vendor remediation guidance and move to a patched release for your major line.
"Patches are available in 8.0.1 and 7.5.5. Organizations should upgrade immediately and audit transitive dependencies, especially via
@grpc/proto-loader, Firebase, and Google Cloud SDKs." - Inventory exposure:
- Enumerate direct/transitive usage (e.g.,
npm ls protobufjs) and identify which services/tools ingest protobuf schemas or JSON descriptors dynamically at runtime.
- Enumerate direct/transitive usage (e.g.,
- Treat schema ingestion as security-sensitive input:
- Tighten trust boundaries for where
.protofiles / descriptors can be sourced from. - Prefer precompiled/static schemas in production paths where feasible (reduce attacker influence on runtime codegen).
- Tighten trust boundaries for where
- If compromise is suspected, treat this like application-layer RCE:
- Review provenance of schemas/descriptors recently consumed by impacted services and rotate credentials/secrets reachable from the execution context.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.