Critical RCE vulnerability in protobuf.js library
Critical flaw in widely used Protocol Buffers library
Proof-of-concept exploit code has been published for a critical remote code execution vulnerability in protobuf.js, a JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads from npm.
Technical details of the vulnerability
The vulnerability (tracked as GHSA-xq3m-2v4x-88gg) is caused by unsafe dynamic code generation. The library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but fails to validate schema-derived identifiers like message names.
This allows an attacker to supply a malicious schema that injects arbitrary code into the generated function, which executes when the application processes a message using that schema.
Impact and affected versions
- Affects protobuf.js versions 8.0.0/7.5.4 and lower
- Enables RCE on servers or applications loading attacker-influenced schemas
- Can grant access to environment variables, credentials, databases, and internal systems
- Allows lateral movement within infrastructure
- Could affect developer machines loading untrusted schemas locally
Patches and recommendations
Upgrade to patched versions:
- 8.0.1 for the 8.x branch (released to npm on April 4)
- 7.5.5 for the 7.x branch (released to npm on April 15)
The patch sanitizes type names by stripping non-alphanumeric characters, preventing attackers from closing the synthetic function. Endor Labs notes that a longer-term fix would be to stop round-tripping attacker-reachable identifiers through Function entirely.
Additional recommendations from Endor Labs:
- Audit transitive dependencies
- Treat schema-loading as untrusted input
- Prefer precompiled/static schemas in production
Timeline and status
- Vulnerability reported by Endor Labs researcher Cristian Staicu on March 2
- Patch released on GitHub on March 11
- npm packages updated in April
- No active exploitation observed to date
- Exploitation described as "straightforward" with minimal PoC available
📖 Read the full source: HN AI Agents
👀 See Also
NPM Compromise via Axios Backdoor: Impact on AI Coding Agents
On March 31, 2026, a DPRK-linked threat actor compromised npm by publishing backdoored versions of Axios (1.14.1 and 0.30.4) during a 3-hour window. The malware injected a dependency that downloaded a platform-specific RAT, harvested credentials, and self-erased, with AI coding agents like Claude Code and Cursor being particularly vulnerable due to automated npm installs.
ClawSecure: Security Platform for OpenClaw Ecosystem
ClawSecure is a security platform built specifically for the OpenClaw ecosystem, featuring a 3-layer audit protocol, continuous monitoring, and coverage of OWASP ASI categories. It has audited 3,000+ popular skills and is available free with no signup.
The Uniformed Guard Problem: Why Agent Sandboxes Need Identity, Not Just Policy
Nemoclaw's openshell sandbox scopes policies to binaries, enabling malware to live-off-the-land using the same binaries as the agent. ZeroID, an open-source agent identity layer, applies security policies to agents backed by secure identities.
Security Checklist for Claude AI-Generated Applications
A developer shares a checklist of common security and operational gaps found in applications built with Claude Code, including rate limiting, authentication flaws, database scaling issues, and input handling vulnerabilities.