Back to Home

Critical vulnerability in protobuf.js: threat to Google Cloud and Firebase

Critical vulnerability in the protobuf.js library allows arbitrary code execution on the server. Services on Google Cloud and Firebase are affected. Fixes have been released.

Critical hole in protobuf.js: millions of services at risk
Advertisement 728x90

Critical Vulnerability in protobuf.js Threatens Thousands of Services on Google Cloud and Firebase

The popular JavaScript library protobuf.js, used for working with the Protocol Buffers format, contains a critical vulnerability that allows attackers to execute arbitrary code on the server. The issue affects millions of services, especially those running on Google Cloud and Firebase.

How the Attack Works

The vulnerability is related to the mechanism for processing protobuf schema files. The library generates JavaScript code based on the data description and executes it via an eval-like function. If malicious code is inserted into the type or field name of the schema, it will be executed without validation.

The attack does not require complex actions: it is enough for the application to load a tampered schema file from an external source. Such schemas are often obtained from partner services, shared repositories, or through gRPC self-description. After loading, a single ordinary message activates the malicious code.

Google AdInline article slot

Scope of the Threat

  • 52 million weekly downloads — that's how many times protobuf.js is downloaded.
  • The library is often a hidden dependency, so the actual number of vulnerable projects may be higher.
  • Versions up to and including 8.0.0 and 7.5.4 are affected.
  • The vulnerability has been assigned identifier GHSA-xq3m-2v4x-88gg and a CVSS score of 9.4.

Key Points

  • The vulnerability allows code execution on the server without authentication.
  • An attack is possible if the application loads schemas from external sources.
  • Fixes have been released in versions 8.0.1 and 7.5.5.
  • No public attacks have been reported yet, but exploitation is technically simple.
  • Services on Google Cloud, Firebase, and those using gRPC are particularly vulnerable.

Business Impact

If an attacker compromises a single schema source, they can:

  • Gain access to tokens and user data.
  • Infiltrate internal services.
  • Steal confidential information.

Given the popularity of protobuf.js, the attack could affect thousands of companies. Developers must urgently update the library and check all dependencies, especially those that load schemas from external sources.

Recommendations

  • Immediately update protobuf.js to version 8.0.1 or 7.5.5.
  • Check all projects for hidden dependencies on vulnerable versions.
  • Review places where the application loads schema files from external sources.
  • Consider validating schemas before loading.
  • Use integrity control mechanisms for downloaded files.

— Editorial Team

Google AdInline article slot
Advertisement 728x90

Read Next