https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/
Article
-
Critical RCE vulnerability in a Protobuf JS library discovered by Endor Labs.
-
Library builds JS functions by string-concatenating schema identifiers, then calls Function().
-
Attacker-controlled protobuf schema can inject arbitrary JavaScript.
-
Affects any app that processes untrusted protobuf schemas with this library.
Discussion
-
lioeters: classic “eval is evil” pattern—Function() constructor used as unsafe eval equivalent.
-
skybrian asked key question: how does attacker supply the malicious schema? Depends on app architecture.
-
rvz: broad take that JS/TS and npm ecosystem are the root cause of these recurring security issues.
Discuss on HN
