GHSA-xq3m-2v4x-88gg: Arbitrary code execution in protobufjs

April 16, 2026 (updated April 30, 2026)

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

References

github.com/advisories/GHSA-xq3m-2v4x-88gg
github.com/protobufjs/protobuf.js
github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

Code Behaviors & Features

Detect and mitigate GHSA-xq3m-2v4x-88gg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →