A critical RCE vulnerability (GHSA-xq3m-2v4x-88gg) in protobuf.js allows attackers to execute arbitrary code by providing a malicious schema that injects into dynamically generated JavaScript functions. The flaw impacts protobuf.js versions 8.0.0 and 7.5.4, with patches available in versions 8.0.1 and 7.5.5. Organizations should upgrade immediately, audit dependencies, treat schema loading as untrusted input, and consider using precompiled schemas.
Vulnerability Management , Patch/Configuration Management , Supply chain Critical RCE vulnerability in protobuf.js; Exploit code published April 20, 2026 Share By SC Staff Per Bleeping Computer, proof-of-concept exploit code has been released for a critical remote code execution vulnerability affecting protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. This library sees approximately 50 million weekly downloads from the npm registry and is integral to many applications. The vulnerability, tracked as GHSA-xq3m-2v4x-88gg, stems from unsafe dynamic code generation within protobuf.js. Attackers can exploit this by providing a malicious schema that injects arbitrary code into generated JavaScript functions. This code executes when the application processes a message using the compromised schema, potentially leading to remote code execution on servers or developer machines. The flaw impacts versions 8.0.0 and 7.5.4, with patches available in versions 8.0.1 and 7.5.5. Endor Labs warns that exploitation is straightforward, though no active exploitation in the wild has been observed. Organizations are advised to upgrade protobuf.js, audit dependencies, treat schema loading as untrusted input, and consider using precompiled schemas to mitigate risks. Source: Bleeping Computer SC Staff Related Security Operations Express website vulnerability exposed customer order details SC Staff April 20, 2026 The vulnerability allowed unauthorized access to order confirmation pages, revealing customer names, phone numbers, email addresses, postal and billing addresses, and details of purchased items. Vulnerability Management AI vulnerability discovery and the case for systems security engineering Dr. Darren Death April 20, 2026 Security can't be an afterthought in an age of AI-powered bug hunting. Vulnerability Management Another PoC exploit released by ‘BlueHammer’ leaker after Microsoft dispute SC Staff April 17, 2026 Security researcher Chaotic Eclipse has published a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability dubbed "RedSun" over a week after the release of an exploit code for the BlueHammer flaw in Defender, tracked as CVE-2026-33825, GBHackers News reports. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds