220 Million at Risk: Critical 9.4 CVSS Remote Code Execution Hits protobuf.js

As a pure JavaScript implementation of Google’s Protocol Buffers, protobuf.js is a foundational component for Node.js and browser-based applications, boasting 220 million downloads every month. However, a critical arbitrary code execution vulnerability has been uncovered, threatening to turn this ubiquitous tool into a staging ground for remote attacks.The flaw, which carries a CVSS score of 9.4, strikes at the very heart of how the library handles structured data.

Protobuf.js works by compiling protobuf definitions into optimized JavaScript functions. The vulnerability resides in the way these definitions are parsed. Researchers discovered that attackers can manipulate these definitions to inject arbitrary JavaScript code directly into the “type” fields.

When the application later attempts to decode an object using the compromised definition, the injected code is automatically executed as part of the decoding process. This effectively bypasses the expected logic of the library, allowing an adversary to run commands within the context of the application’s process.

The primary impact of this flaw is Remote Code Execution (RCE). However, exploitation is contingent on the attacker’s ability to control the protobuf definition files used by the application. If an environment allows for the dynamic loading or external modification of these .proto or JSON descriptor files, an unauthenticated attacker could achieve full system compromise.

A Proof-of-Concept (PoC) illustrates how a malicious JSON descriptor can be crafted to execute system commands—such as the id command—simply by triggering a UserType.decode() operation.

Given the massive scale of protobufjs deployment, developers are urged to audit their dependency trees and update to a secured version immediately.

Affected Versions:

• 8.x line: Versions 8.0.0 and earlier.
• 7.x line: Versions 7.5.4 and earlier.

Patched Versions:

• 8.0.1
• 7.5.5