**protobuf.js**, boasting nearly 50 million weekly downloads on the **Node Package Manager (npm)** registry, is facing scrutiny due to a recently disclosed remote code execution (RCE) flaw. The vulnerability stems from unsafe dynamic code generation, as reported by **Endor Labs**. ### The Vulnerability: GHSA-xq3m-2v4x-88gg Currently tracked as GHSA-xq3m-2v4x-88gg (without an official **CVE** ID), the vulnerability allows attackers to inject arbitrary code into generated functions by supplying malicious schemas. This is due to the library's method of building JavaScript functions from protobuf schemas by concatenating strings and executing them via the `Function()` constructor without proper validation of schema-derived identifiers. **Endor Labs** explains that this flaw enables RCE on servers or applications that load attacker-influenced schemas. Successful exploitation could grant access to sensitive information such as environment variables, credentials, and databases, potentially leading to lateral movement within the compromised infrastructure. Developer machines are also at risk if they process untrusted schemas locally. ### Impact and Mitigation The vulnerability affects **protobuf.js** versions 8.0.0/7.5.4 and lower. To mitigate the risk, **Endor Labs** strongly advises upgrading to versions 8.0.1 and 7.5.5, which include a patch that sanitizes type names by stripping non-alphanumeric characters. While this patch provides immediate relief, **Endor Labs** suggests a more robust, long-term solution would be to eliminate the use of `Function` altogether for attacker-reachable identifiers. "Exploitation is straightforward," warns **Endor Labs**, referencing the minimal proof-of-concept (PoC) included in the [security advisory](https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg). As of now, there are no reports of active exploitation in the wild. ### Disclosure Timeline The vulnerability was reported by **Endor Labs** researcher **Cristian Staicu** on March 2nd. The **protobuf.js** maintainers released a patch on GitHub on March 11th. Updated **npm** packages were made available on April 4th for the 8.x branch and on April 15th for the 7.x branch. ### Recommendations Besides upgrading, **Endor Labs** recommends: * Auditing transitive dependencies. * Treating schema-loading as untrusted input. * Preferring precompiled/static schemas in production environments.