A critical vulnerability of remote code execution (CERs) has come to light in protobub.js, the JavaScript implementation of Protocol Buffers that use thousands of projects on Node.js. The problem drew attention after researchers shared a public proof-of-concept and the maintainers published patches; given the popularity of the bookstore - which records close to 50 million downloads per week- the finding deserves immediate attention by development teams and operations.
The failure lies in how the bookstore generates code dynamically from the schemes. Instead of building secure structures, protobub.js concatene chains to form JavaScript functions and run them with the Function () builder, applying very little or no validation on the identifiers extracted from the scheme (message names, types, etc.). A scheme manipulated by an attacker can insert malicious code into that chain, so when the synthetic function is finally evaluated, the injected code is run in the context of the process that loads the scheme.
This vector turns a malicious scheme into a door to access environment variables, secrets, database connections and other internal resources; it also allows side movements if the application is deployed in shared infrastructure. It is not only a risk for servers: if developers load and decode unreliable schemes on their local machines, their working environments may also be compromised.
The problem was discovered by the researcher Cristian Staicu and documented by the security company Endor Labs in a detailed report; vulnerability is recorded in GitHub as GHSA-xq3m-2v4x-88gg and Endor Labs explains the mechanism and shows a PoC in its analysis ( report by Endor Labs). Although the authors of the report have noted that the holding is simple for now, no widespread malicious activity has been confirmed in production environments.
Vulnerability affects versions of protobub.js prior to or equal to 8.0.0 and 7.5.4. The maintainers published corrections that are available in the main branches: the 8.x series was corrected with version 8.0.1 and the 7.x series with the 7.5.5; the npm packages with the patches were published in April (updates for 8.x and 7.x on different dates). The repository and security notes can be found on the project page in GitHub: protobub.js in GitHub and their releases.
The urgent solution applied to the patch is to sanitize the type names, eliminating non-alphanumeric characters to prevent an attacker from closing the synthetic function and adding malicious instructions. However, the experts point out that a more robust correction goes beyond fully using the dynamic generation of code with Function () to process identifiers that can come from external sources: avoiding the "round-tripping" of identifiers through generated code is a more secure and durable design repair.
If your project depends on protobub.js, act now: updates to the parcheed versions, checks the graph of dependencies for vulnerable versions (even as transitional dependencies) and treats the loading of schemes as unreliable input. For production equipment, a recommended practice is to use precompiled or static schemes rather than generate and evaluate code in running time. Endor Labs also suggests auditioning transient dependencies and reviewing CI / CD pipelines that can introduce unverified schemes.
In practical terms, you can check which version is installed with package manager commands (e.g. by inspecting package.json or using tools like npm ls) and force updates to secure versions (e.g. npm install protobujs @ ^ 8.0.1 or version 7.5.5 depending on the branch you use). In addition, it is recommended to incorporate automatic software scans into the pipeline and policies that prevent the download and execution of schemes from uncontrolled origins.
Public disclosure included a PoC in the project's own security advice, which makes it easier for technical teams to replicate the problem to validate it in controlled environments; official advice in GitHub contains the link to that example and to the technical discussion ( consulting in GitHub). If you need more context on finding and technical recommendations, the analysis of Endor Labs is well documented and is worth reading it carefully: report by Endor Labs.
The lesson for the development community is twofold: on the one hand, the great convenience of generating code dynamically brings risks when the inputs are not well validated; on the other, the huge dependence on shared libraries makes a single vulnerability can be wide-ranging. Updating, auditing and reducing the exposure surface remains the best defense.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...