Critical flaw in Protobuf library enables JavaScript code execution

Lots more details from Endor labs (flaw finder & source): https://www.endorlabs.com/learn/the-dangers-of-reusing-proto...

How does the attacker supply a malicious schema? Can that be turned off? It doesn't seem like a normal thing to do.

> the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, but it fails to validate schema-derived identifiers, such as message names.

Typical "eval is evil" issue.

Both "Javascript" and "Typescript" are incredibly flawed languages and the entire npm ecosystem is the bane of the software security industry.