Critical remote code execution flaw discovered in widely used protobuf.js library

A critical remote code execution vulnerability has been discovered in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers that averages nearly 50 million weekly downloads through npm. The flaw allows attackers to execute arbitrary JavaScript code Protobuf.js constructs functions Successful exploitation grants attackers access to environment variables, credentials, databases, and internal systems, with potential for lateral movement within infrastructure. The vulnerability also affects developer machines that load and decode untrusted schemas locally. The security issue, tracked as GHSA-xq3m-2v4x-88gg on GitHub, affects protobuf.js versions 8.0.0/7.5.4 and earlier. Patched versions 8.0.1 and 7.5.5 address the vulnerability Endor Labs researcher Cristian Staicu reported the vulnerability on March 2, with maintainers releasing GitHub patches on March 11. Fixed npm packages became available on April 4 for the 8.x branch and April 15 for the 7.x branch. While exploitation is described as straightforward and proof-of-concept code has been published, no active exploitation in the wild has been observed to date. Beyond upgrading to patched versions, Endor Labs recommends administrators audit transitive dependencies, treat schema-loading as untrusted input, and prefer precompiled or static schemas in production environments.