Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js that stems from unsafe dynamic function generation from schemas. Users should upgrade to protobuf.js 8.0.1 or 7.5.5, audit schema sources, and avoid loading untrusted schemas to mitigate the risk. #protobufjs #EndorLabs
Keypoints
- The RCE is caused by protobuf.js building functions via string concatenation and the Function() constructor without validating schema-derived identifiers.
- A working proof-of-concept exploit has been published, and Endor Labs warns that exploitation is straightforward.
- The flaw affects protobuf.js versions 8.0.0/7.5.4 and lower, with fixes released in 8.0.1 and 7.5.5.
- An attacker can supply a malicious schema to execute arbitrary code, exposing environment variables, credentials, databases, and enabling lateral movement.
- Mitigations include upgrading, auditing transitive dependencies, treating schema-loading as untrusted input, and using precompiled/static schemas in production.