Critical RCE vulnerability in protobuf.js; Exploit code published

Per Bleeping Computer, proof-of-concept exploit code has been released for a critical remote code execution vulnerability affecting protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. This library sees approximately 50 million weekly downloads from the npm registry and is integral to many applications.

The vulnerability, tracked as GHSA-xq3m-2v4x-88gg, stems from unsafe dynamic code generation within protobuf.js. Attackers can exploit this by providing a malicious schema that injects arbitrary code into generated JavaScript functions. This code executes when the application processes a message using the compromised schema, potentially leading to remote code execution on servers or developer machines. The flaw impacts versions 8.0.0 and 7.5.4, with patches available in versions 8.0.1 and 7.5.5.

Endor Labs warns that exploitation is straightforward, though no active exploitation in the wild has been observed. Organizations are advised to upgrade protobuf.js, audit dependencies, treat schema loading as untrusted input, and consider using precompiled schemas to mitigate risks.

Source: Bleeping Computer