Critical RCE vulnerability in protobuf.js library
Critical flaw in widely used Protocol Buffers library
Proof-of-concept exploit code has been published for a critical remote code execution vulnerability in protobuf.js, a JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly downloads from npm.
Technical details of the vulnerability
The vulnerability (tracked as GHSA-xq3m-2v4x-88gg) is caused by unsafe dynamic code generation. The library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but fails to validate schema-derived identifiers like message names.
This allows an attacker to supply a malicious schema that injects arbitrary code into the generated function, which executes when the application processes a message using that schema.
Impact and affected versions
- Affects protobuf.js versions 8.0.0/7.5.4 and lower
- Enables RCE on servers or applications loading attacker-influenced schemas
- Can grant access to environment variables, credentials, databases, and internal systems
- Allows lateral movement within infrastructure
- Could affect developer machines loading untrusted schemas locally
Patches and recommendations
Upgrade to patched versions:
- 8.0.1 for the 8.x branch (released to npm on April 4)
- 7.5.5 for the 7.x branch (released to npm on April 15)
The patch sanitizes type names by stripping non-alphanumeric characters, preventing attackers from closing the synthetic function. Endor Labs notes that a longer-term fix would be to stop round-tripping attacker-reachable identifiers through Function entirely.
Additional recommendations from Endor Labs:
- Audit transitive dependencies
- Treat schema-loading as untrusted input
- Prefer precompiled/static schemas in production
Timeline and status
- Vulnerability reported by Endor Labs researcher Cristian Staicu on March 2
- Patch released on GitHub on March 11
- npm packages updated in April
- No active exploitation observed to date
- Exploitation described as "straightforward" with minimal PoC available
📖 Read the full source: HN AI Agents
👀 See Also
Testing Uncensored Qwen 3.5 35B Models for Cybersecurity Questions
A cybersecurity professional tested three uncensored Qwen 3.5 35B models on hacking and security bypass questions, finding significant differences in response quality compared to the original censored model. The uncensored models consistently provided answers where the original model refused or gave incomplete responses.
pi-governance: RBAC, DLP, and audit logging for OpenClaw coding agents
pi-governance is a plugin that sits between AI coding agents and your system, classifying tool calls and blocking risky operations. It provides bash command blocking, DLP scanning for secrets and PII, role-based access control, and structured audit logging with zero configuration.
Proxy-layer isolation for local agent API key security
A developer shares an approach to API key isolation in local agent setups using a Rust proxy that swaps placeholder tokens for real credentials, preventing exposure in agent memory, logs, context windows, and tool environments.
Claude Code source code reportedly leaked via NPM map file
A tweet reports that Claude Code's source code has been leaked through a map file in their NPM registry. The HN discussion has 93 points and 35 comments.