Arbitrary JavaScript Execution Flaw in protobufjs via Malicious Protobuf Definitions
A vulnerability in the npm package protobufjs allows arbitrary JavaScript execution when an application processes attacker-controlled protobuf definition files. The flaw, tracked as GHSA-xq3m-2v4x-88gg, stems from unsafe handling of protobuf type fields, which can be compiled into executable JavaScript and triggered during object decoding, creating a path to remote code execution in affected deployments.
The issue affects protobufjs versions up to 8.0.0 and 7.5.4, and has been fixed in 8.0.1 and 7.5.5. A published proof of concept shows a malicious JSON descriptor invoking Node.js child_process during decode, underscoring the risk for applications that ingest untrusted schema or descriptor data. Organizations using protobufjs should upgrade to the patched releases and review whether external parties can supply protobuf definitions.
Timeline
Apr 16, 2026
protobufjs fixes released in versions 8.0.1 and 7.5.5
The vulnerability was reported as fixed in protobufjs versions 8.0.1 and 7.5.5. These releases address the remote code execution risk when applications process attacker-controlled protobuf definition files.
Apr 16, 2026
Arbitrary code execution flaw disclosed in protobufjs
A GitHub security advisory disclosed that protobufjs contains an arbitrary JavaScript execution vulnerability caused by attacker-controlled protobuf "type" fields being compiled into executable code during decoding. The issue affects versions up to 8.0.0 and up to 7.5.4, and the advisory included a proof of concept showing code execution via a malicious JSON descriptor.
Mar 2, 2026
Endor Labs privately reports protobufjs RCE to maintainers
Endor Labs reported the protobuf.js remote code execution vulnerability to the project maintainers. The flaw involved unsafe dynamic JavaScript generation from untrusted schema names, enabling code execution when crafted .proto or JSON schema files were processed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
4 more from sources like security online info, endorlabs, research.averlon.ai and github advisories github link
Related Stories
JavaScript Library Flaws Enable Sandbox Escape and Code Execution
Two high-severity flaws were disclosed in widely used JavaScript libraries, exposing applications to sandbox bypass and arbitrary code execution. **CVE-2026-34208** affects SandboxJS before `0.8.36` and allows attacker-supplied code to evade protections on direct assignment to global objects by abusing an exposed constructor path. The bypass uses `this.constructor.call(target, attackerObject)` to reach the internal `SandboxGlobal` function while `Function.prototype.call` remains permitted, enabling arbitrary properties to be written into host global objects and persist across sandbox instances in the same process. A separate issue, **CVE-2026-41242**, impacts `protobufjs` before `8.0.1` and `7.5.5`, where attackers can inject arbitrary code into Protocol Buffers definition `type` fields and trigger execution during object decoding with a malicious schema. The flaw is tracked as **CWE-94** and carries a CVSS v4 rating reflecting network-reachable exploitation with high impact to confidentiality, integrity, availability, and downstream systems. Maintainers released fixes in SandboxJS `0.8.36` and protobufjs `8.0.1` and `7.5.5`.
2 weeks ago
Critical Axios Flaw Enables Request Smuggling, IMDSv2 Bypass, and Cloud Compromise
A critical vulnerability in the Axios HTTP client library, tracked as **`CVE-2026-40175`**, allows attackers to turn polluted JavaScript object properties into malicious HTTP headers and abuse outbound requests for **SSRF**, **request smuggling**, and potential **remote code execution**. Researchers said the flaw stems from improper header handling in Axios’s HTTP adapter and unsafe config merging, which can let `Object.prototype` values containing CRLF characters be injected into requests. The issue can be chained with prototype pollution in other npm packages to target internal services, including the AWS EC2 metadata endpoint at `169.254.169.254`, potentially bypassing **IMDSv2** and exposing cloud credentials or broader infrastructure. A public proof-of-concept was released alongside disclosure, raising urgency for defenders even though active exploitation had not been confirmed at the time of reporting. The flaw affects Axios versions before **`1.13.2`**, while maintainers said **`1.15.0`** introduces strict header validation that blocks CRLF-based header injection; organizations were urged to upgrade and audit dependencies such as **`body-parser`**, **`qs`**, and **`minimist`** for prototype pollution paths. One report cited internet-wide estimates of more than **48,000** potentially exposed instances, underscoring the risk of unauthorized internal access and possible full cloud compromise.
2 weeks ago
Critical Code Injection in Orval OpenAPI Client Generator (CVE-2026-23947)
A critical software supply-chain vulnerability, **CVE-2026-23947** (CVSS **9.3**), was disclosed in *Orval*, a widely used npm tool that generates type-safe TypeScript/JavaScript clients from OpenAPI/Swagger specifications. The flaw allows **code injection** when Orval processes untrusted or compromised API specifications: attacker-controlled content in the `x-enumDescriptions` / `x-enum-descriptions` field is embedded without proper escaping in `getEnumImplementation()`, enabling malicious TypeScript/JavaScript to be written into generated client/schema files during `const enum` generation. Successful exploitation can lead to **arbitrary code execution in environments consuming the generated clients**, shifting risk to downstream developers and build/runtime pipelines that treat generated code as trusted. Affected versions are reported as **7.10.0 through 8.0.2**, and vendor guidance indicates updating to a fixed release (noted as *Orval* **8.0.2**) to remediate; the issue is described as similar to **CVE-2026-22785** but impacting a different `@orval/core` code path not covered by the earlier fix.
1 months ago