fix(deps): update dependency protobufjs to v7.5.5 [security] by renovate-bot · Pull Request #8071 · googleapis/google-cloud-node

renovate-bot · 2026-04-17T04:22:56Z

This PR contains the following updates:

Package	Change	Age	Confidence
protobufjs (source)	`~7.4.0` → `~7.5.5`
protobufjs (source)	`7.2.4 - 7.5.0` → `7.5.5 7.5.5`

Arbitrary code execution in protobufjs

CVE-2026-41242 / GHSA-xq3m-2v4x-88gg

More information

Details

Summary

protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

Details

Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition.

PoC

const protobuf = require('protobufjs');
maliciousDescriptor = JSON.parse(`{"nested":{"User":{"fields":{"id":{"type":"int32","id":1},"data":{"type":"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X","id":2}}},"Data(){console.log(process.mainModule.require('child_process').execSync('id').toString())};\\nfunction X":{"fields":{"content":{"type":"string","id":1}}}}}`)
const root = protobuf.Root.fromJSON(maliciousDescriptor);
const UserType = root.lookupType("User");
const userBytes = Buffer.from([0x08, 0x01, 0x12, 0x07, 0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]);
try {
    const user = UserType.decode(userBytes);
} catch (e) {}

Impact

Remote code execution when attackers can control the protobuf definition files.

Severity

CVSS Score: 9.4 / 10 (Critical)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

protobufjs/protobuf.js (protobufjs)

`v7.5.5`: v7.5.5

Compare Source

v7.5.5

This release backports two reported security issues to 7.x branch.

fix: do not allow setting __proto__ in Message constructor (#2126)
fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

`v7.5.4`

Compare Source

Bug Fixes

invalid syntax in descriptor.proto (#2092) (5a3769a)

`v7.5.3`

Compare Source

Bug Fixes

descriptor extensions handling post-editions (#2075) (6e255d4)

`v7.5.2`

Compare Source

Bug Fixes

ensure that types are always resolved (#2068) (4b51cb2)

`v7.5.1`

Compare Source

Bug Fixes

optimize regressions from editions implementations (#2066) (6406d4c)
reserved field inside group blocks fail parsing (#2058) (56782bf)

`v7.5.0`

Compare Source

Features

add Edition 2023 Support (f04ded3)
add Edition 2023 Support (ac9a3b9)
add Edition 2023 Support (e5ca5c8)
add Edition 2023 Support (a84409b)
add Edition 2023 Support (9c5a178)
add Edition 2023 Support (b2c6867)
add Edition 2023 Support (60f3e51)
add Edition 2023 Support (a656361)
add Edition 2023 Support (869a95b)
add Edition 2023 Support (b936af4)
add Edition 2023 Support (a938467)
add Edition 2023 Support (1af8454)
add Edition 2023 Support (785416f)
add feature resolution (a9ffc8a)
add feature resolution and tests (68b5339)
add feature resolution for protobuf editions (547afa2)
add feature resolution for protobuf editions (65d3ed1)
api_converters_editions tests added and run successfully" (b4b5ca4)
increase size of file that protobufjs CLI can process (00d5f1a)
increase size of file that protobufjs CLI can process (d36ef0f)

Bug Fixes

change tree traversal order and feature resolution algorithm (d2d47d9)
remove eval usage so that chrome extension MV3 can run properly (#1941) (f2ccb99)

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

dpebot · 2026-04-17T04:23:08Z

/gcbrun

gemini-code-assist

Code Review

This pull request updates the protobufjs dependency to version 7.5.5 across multiple packages to address a security vulnerability. Feedback includes correcting an invalid semver range in handwritten/bigquery-storage/package.json, addressing a remaining nested vulnerable version of protobufjs in the package-lock.json, and investigating a suspicious version update for @types/node in the yarn.lock file.

dpebot · 2026-04-17T06:11:05Z

/gcbrun

dpebot · 2026-04-17T06:23:10Z

/gcbrun

dpebot · 2026-04-17T17:23:29Z

/gcbrun

dpebot · 2026-04-17T20:47:36Z

/gcbrun

dpebot · 2026-04-19T10:24:35Z

/gcbrun

boris-szl · 2026-04-19T14:33:33Z

any updates on this? our code sec agent is screaming for this vuln, asap release would be appreciated

dpebot · 2026-04-19T17:27:36Z

/gcbrun

dpebot · 2026-04-20T19:18:46Z

/gcbrun

dpebot · 2026-04-20T19:50:18Z

/gcbrun

danieljbruce · 2026-04-20T20:45:14Z

any updates on this? our code sec agent is screaming for this vuln, asap release would be appreciated

It's a bit tricky because the protobufjs dependency was actually pinned to avoid breaking ProtoDescriptors.

dpebot · 2026-04-20T21:06:39Z

/gcbrun

dpebot · 2026-04-20T22:03:23Z

/gcbrun

boris-szl · 2026-04-22T18:00:01Z

any updates on this? our code sec agent is screaming for this vuln, asap release would be appreciated

It's a bit tricky because the protobufjs dependency was actually pinned to avoid breaking ProtoDescriptors.

I see. Thanks for clarification. Good luck and best efforts fixing this!

dpebot · 2026-04-22T19:35:59Z

/gcbrun

dpebot · 2026-04-22T21:17:14Z

/gcbrun

dpebot · 2026-04-23T13:39:15Z

/gcbrun

dpebot · 2026-04-23T15:48:15Z

/gcbrun

dpebot · 2026-04-23T23:08:26Z

/gcbrun

dpebot · 2026-04-23T23:09:54Z

/gcbrun

dpebot · 2026-04-23T23:30:29Z

/gcbrun

dpebot · 2026-04-24T03:03:45Z

/gcbrun

dpebot · 2026-04-24T05:56:20Z

/gcbrun

dpebot · 2026-04-24T17:27:57Z

/gcbrun

dpebot · 2026-04-24T17:47:08Z

/gcbrun

dpebot · 2026-04-24T18:50:03Z

/gcbrun

dpebot · 2026-04-24T20:23:27Z

/gcbrun

dpebot · 2026-04-24T20:39:22Z

/gcbrun

dpebot · 2026-04-24T21:12:08Z

/gcbrun

renovate-bot requested review from a team as code owners April 17, 2026 04:22

gemini-code-assist Bot reviewed Apr 17, 2026

View reviewed changes

Comment thread handwritten/bigquery-storage/package.json

Comment thread core/generator/gapic-generator-typescript/package-lock.json

Comment thread core/generator/gapic-generator-typescript/yarn.lock Outdated

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 954a9f9 to 7488e27 Compare April 17, 2026 06:10

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 7488e27 to 1efed92 Compare April 17, 2026 06:23

danieljbruce previously approved these changes Apr 17, 2026

View reviewed changes

danieljbruce added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 17, 2026

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 17, 2026

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 1efed92 to 46bb50d Compare April 17, 2026 17:23

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 46bb50d to c135694 Compare April 17, 2026 20:47

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from c135694 to 9dca9b2 Compare April 19, 2026 10:24

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 9dca9b2 to 1bc5f9f Compare April 19, 2026 17:27

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 1bc5f9f to baa5e57 Compare April 20, 2026 19:18

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from baa5e57 to 8f69140 Compare April 20, 2026 19:50

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 8f69140 to fc749c2 Compare April 20, 2026 21:06

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from fc749c2 to b70760b Compare April 20, 2026 22:03

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from cbe13ca to 7fb767f Compare April 22, 2026 19:35

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 7fb767f to 5edca7d Compare April 22, 2026 21:17

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 5edca7d to a1e6628 Compare April 23, 2026 13:39

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from a1e6628 to 5de5b93 Compare April 23, 2026 15:48

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 2aea76e to 5786e44 Compare April 23, 2026 23:30

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 5786e44 to b1cd38e Compare April 24, 2026 03:03

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from b1cd38e to 3a61454 Compare April 24, 2026 05:56

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 3a61454 to 4f5198d Compare April 24, 2026 17:27

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 4f5198d to d20325a Compare April 24, 2026 17:46

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from d20325a to 17519e8 Compare April 24, 2026 18:49

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 17519e8 to 1222259 Compare April 24, 2026 20:23

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 1222259 to 2768f9d Compare April 24, 2026 20:39

fix(deps): update dependency protobufjs to v7.5.5 [security]

0596d35

renovate-bot force-pushed the renovate/npm-protobufjs-vulnerability branch from 2768f9d to 0596d35 Compare April 24, 2026 21:11

Conversation

renovate-bot commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Arbitrary code execution in protobufjs

Details

Summary

Details

PoC

Impact

Severity

References

Release Notes

v7.5.5: v7.5.5

v7.5.5

v7.5.4

Bug Fixes

v7.5.3

Bug Fixes

v7.5.2

Bug Fixes

v7.5.1

Bug Fixes

v7.5.0

Features

Bug Fixes

Configuration

Uh oh!

dpebot commented Apr 17, 2026

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dpebot commented Apr 17, 2026

Uh oh!

dpebot commented Apr 17, 2026

Uh oh!

dpebot commented Apr 17, 2026

Uh oh!

dpebot commented Apr 17, 2026

Uh oh!

dpebot commented Apr 19, 2026

Uh oh!

boris-szl commented Apr 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dpebot commented Apr 19, 2026

Uh oh!

dpebot commented Apr 20, 2026

Uh oh!

dpebot commented Apr 20, 2026

Uh oh!

danieljbruce commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dpebot commented Apr 20, 2026

Uh oh!

dpebot commented Apr 20, 2026

Uh oh!

boris-szl commented Apr 22, 2026

Uh oh!

dpebot commented Apr 22, 2026

Uh oh!

dpebot commented Apr 22, 2026

Uh oh!

dpebot commented Apr 23, 2026

Uh oh!

dpebot commented Apr 23, 2026

Uh oh!

dpebot commented Apr 23, 2026

Uh oh!

dpebot commented Apr 23, 2026

Uh oh!

dpebot commented Apr 23, 2026

Uh oh!

dpebot commented Apr 24, 2026

Uh oh!

renovate-bot commented Apr 17, 2026 •

edited

Loading

`v7.5.5`: v7.5.5

`v7.5.4`

`v7.5.3`

`v7.5.2`

`v7.5.1`

`v7.5.0`

boris-szl commented Apr 19, 2026 •

edited

Loading

danieljbruce commented Apr 20, 2026 •

edited

Loading