Critical RCE Vulnerability in protobuf.js Exposes Cloud and Microservice Systems Researchers at Endor Labs have uncovered a severe remote code execution (RCE) vulnerability in protobuf.js, a widely used JavaScript library with nearly 52 million weekly downloads. Tracked as GHSA-xq3m-2v4x-88gg and assigned a CVSS score of 9.4, the flaw stems from unsafe dynamic code generation in the library’s `Type.generateConstructor` function, which converts untrusted input into executable JavaScript. ### Attack Mechanism and Exploitation The vulnerability arises when protobuf.js processes malicious .proto or JSON files containing crafted "type names" that include executable JavaScript payloads. Since the library fails to sanitize these inputs, attackers can inject arbitrary code that executes when the schema is loaded even in automated or server-side workflows without direct user interaction. Exploitation is trivial once a poisoned file is processed, enabling threat actors to achieve full RCE, exfiltrate credentials, or pivot through internal networks. The flaw affects systems using gRPC, Firebase, and Google Cloud if they rely on protobuf.js and accept untrusted schema input. Multi-tenant platforms or gRPC reflection services are particularly at risk. ### Scope and Impact Unlike a supply-chain attack, the issue lies in how protobuf.js handles user-provided data. Researchers note this reflects a broader threat model "dev-tool-as-code-execution-primitive" where development tools inadvertently become attack vectors. While the library itself is legitimate (maintained by Google-affiliated developers), its widespread use in cloud and microservice architectures amplifies the risk. ### Affected Versions and Fix The vulnerability impacts: - protobuf.js 8.0.0 and earlier - 7.5.4 and earlier Endor Labs disclosed the flaw to maintainers on 2 March 2026, with confirmation on 9 March 2026. A patch was released in April 2026, introducing a one-line fix (`jsname = name.replace(/\W/g, "")`) to strip dangerous characters from input. Organizations are urged to update to 8.0.1 or 7.5.5 to mitigate the risk.