# Critical remote code execution flaw discovered in widely used protobuf.js library _Saturday, April 18, 2026 at 4:07 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_ ![Critical remote code execution flaw discovered in widely used protobuf.js library — Primary](https://www.bleepstatic.com/content/hl-images/2026/04/17/protobuf.jpg) A critical remote code execution vulnerability has been discovered in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers that averages nearly 50 million weekly downloads through npm. The flaw allows attackers to execute arbitrary JavaScript code by injecting malicious code through specially crafted protobuf schemas. Application security firm Endor Labs reported the vulnerability, which stems from the library's unsafe dynamic code generation when building JavaScript functions from schemas. Protobuf.js constructs functions by concatenating strings and executing them via the Function() constructor, but fails to properly validate schema-derived identifiers like message names. This oversight enables attackers to supply malicious schemas that inject code into generated functions, which then executes when applications process messages using those schemas. Successful exploitation grants attackers access to environment variables, credentials, databases, and internal systems, with potential for lateral movement within infrastructure. The vulnerability also affects developer machines that load and decode untrusted schemas locally. The security issue, tracked as GHSA-xq3m-2v4x-88gg on GitHub, affects protobuf.js versions 8.0.0/7.5.4 and earlier. Patched versions 8.0.1 and 7.5.5 address the vulnerability by sanitizing type names to strip non-alphanumeric characters, preventing attackers from closing synthetic functions. Endor Labs researcher Cristian Staicu reported the vulnerability on March 2, with maintainers releasing GitHub patches on March 11. Fixed npm packages became available on April 4 for the 8.x branch and April 15 for the 7.x branch. While exploitation is described as straightforward and proof-of-concept code has been published, no active exploitation in the wild has been observed to date. Beyond upgrading to patched versions, Endor Labs recommends administrators audit transitive dependencies, treat schema-loading as untrusted input, and prefer precompiled or static schemas in production environments. ## Sources - [BleepingComputer](https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/) --- Canonical: https://techandbusiness.org/newswire/Azr6jnPnblfJFZmxpsoFyl Retrieved: 2026-04-18T23:34:16.754Z Publisher: Tech & Business (techandbusiness.org)