Critical RCE Vulnerability in protobuf.js Exposes Cloud and Microservice Systems
Researchers at Endor Labs have uncovered a severe remote code execution (RCE) vulnerability in protobuf.js, a widely used JavaScript library with nearly 52 million weekly downloads. Tracked as GHSA-xq3m-2v4x-88gg and assigned a CVSS score of 9.4, the flaw stems from unsafe dynamic code generation in the library’s Type.generateConstructor function, which converts untrusted input into executable JavaScript.
Attack Mechanism and Exploitation
The vulnerability arises when protobuf.js processes malicious .proto or JSON files containing crafted "type names" that include executable JavaScript payloads. Since the library fails to sanitize these inputs, attackers can inject arbitrary code that executes when the schema is loaded even in automated or server-side workflows without direct user interaction.
Exploitation is trivial once a poisoned file is processed, enabling threat actors to achieve full RCE, exfiltrate credentials, or pivot through internal networks. The flaw affects systems using gRPC, Firebase, and Google Cloud if they rely on protobuf.js and accept untrusted schema input. Multi-tenant platforms or gRPC reflection services are particularly at risk.
Scope and Impact
Unlike a supply-chain attack, the issue lies in how protobuf.js handles user-provided data. Researchers note this reflects a broader threat model "dev-tool-as-code-execution-primitive" where development tools inadvertently become attack vectors. While the library itself is legitimate (maintained by Google-affiliated developers), its widespread use in cloud and microservice architectures amplifies the risk.
Affected Versions and Fix
The vulnerability impacts:
- protobuf.js 8.0.0 and earlier
- 7.5.4 and earlier
Endor Labs disclosed the flaw to maintainers on 2 March 2026, with confirmation on 9 March 2026. A patch was released in April 2026, introducing a one-line fix (jsname = name.replace(/\W/g, "")) to strip dangerous characters from input. Organizations are urged to update to 8.0.1 or 7.5.5 to mitigate the risk.
Source: https://hackread.com/52m-download-protobuf-js-library-rce-schema-handle/
Google Cloud Security cybersecurity rating report: https://www.rankiteo.com/company/googlecloudsecurity
gRPC cybersecurity rating report: https://www.rankiteo.com/company/g-rpc
"id": "GOOG-R1776771217",
"linkid": "googlecloudsecurity, g-rpc",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Technology',
'Cloud Services',
'Software Development'],
'location': 'Global',
'name': 'Organizations using protobuf.js',
'type': 'Various (cloud providers, microservice '
'platforms)'}],
'attack_vector': 'Malicious .proto/JSON files with crafted type names',
'data_breach': {'data_exfiltration': 'Possible',
'file_types_exposed': ['.proto', 'JSON'],
'sensitivity_of_data': 'High (potential for full system '
'access)',
'type_of_data_compromised': ['Credentials',
'Internal network data']},
'date_detected': '2026-03-02',
'date_publicly_disclosed': '2026-04-01',
'date_resolved': '2026-04-01',
'description': 'Researchers at Endor Labs uncovered a severe remote code '
'execution (RCE) vulnerability in protobuf.js, a widely used '
'JavaScript library with nearly 52 million weekly downloads. '
'The flaw (GHSA-xq3m-2v4x-88gg, CVSS 9.4) stems from unsafe '
'dynamic code generation in the library’s '
'`Type.generateConstructor` function, allowing attackers to '
'inject arbitrary code via malicious .proto or JSON files.',
'impact': {'data_compromised': 'Credentials, internal network access',
'operational_impact': 'Potential full system compromise, lateral '
'movement in networks',
'systems_affected': 'Cloud and microservice systems using '
'protobuf.js (gRPC, Firebase, Google Cloud)'},
'investigation_status': 'Resolved (patch released)',
'lessons_learned': 'Development tools can inadvertently become attack vectors '
'(dev-tool-as-code-execution-primitive). Input '
'sanitization is critical even in non-user-facing '
'workflows.',
'post_incident_analysis': {'corrective_actions': 'Added input sanitization '
'(`jsname = '
'name.replace(/\\W/g, "")`)',
'root_causes': 'Lack of input sanitization in '
'`Type.generateConstructor` '
'function'},
'recommendations': 'Update protobuf.js to 8.0.1 or 7.5.5 immediately. Audit '
'systems for untrusted schema input processing. Implement '
'strict input validation for .proto/JSON files.',
'references': [{'source': 'Endor Labs Research'},
{'source': 'GitHub Advisory (GHSA-xq3m-2v4x-88gg)'}],
'response': {'containment_measures': 'Patch released (protobuf.js '
'8.0.1/7.5.5)',
'remediation_measures': 'Update to patched versions (8.0.1 or '
'7.5.5)',
'third_party_assistance': 'Endor Labs (researchers)'},
'title': 'Critical RCE Vulnerability in protobuf.js Exposes Cloud and '
'Microservice Systems',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Unsafe dynamic code generation in '
'`Type.generateConstructor` (CVE not assigned, '
'GHSA-xq3m-2v4x-88gg)'}