protobuf.js RCE: unsanitized schema identifiers pipe straight into Function()

A critical remote code execution flaw in protobuf.js, the JavaScript port of Google’s Protocol Buffers that pulls roughly 50 million weekly npm downloads, lets attacker-controlled schemas execute arbitrary code inside consuming applications. The library compiles protobuf schemas into JavaScript by concatenating strings and passing them to the Function() constructor, but never validates schema-derived identifiers like message names. An attacker who can influence a loaded schema simply closes the synthetic function body and appends their own payload, which runs wherever the schema is processed.

Endor Labs, whose researcher Cristian Staicu reported the bug on March 2, says exploitation is straightforward and published a minimal PoC. Impact on the server side covers environment variables, credentials, database access, and lateral movement inside the infrastructure; developer workstations that decode untrusted schemas locally are exposed too. The issue is tracked as GHSA-xq3m-2v4x-88gg with no CVE assigned yet, and affects versions up to 8.0.0 and 7.5.4.

Patched releases 8.0.1 (April 4) and 7.5.5 (April 15) strip non-alphanumeric characters from type names, which breaks the injection vector but leaves the underlying pattern — round-tripping attacker-reachable strings through Function() — intact. Endor recommends auditing transitive dependencies, treating any loaded schema as untrusted input, and shipping precompiled static schemas in production rather than generating them at runtime. No in-the-wild exploitation has been observed.