al-ice.ai

vLLM Patches protobuf.js Remote Code Execution

AI CVEs by al-ice.ai Editorial

What happened

  • vLLM, the dominant open-source LLM inference and serving framework, patched protobuf.js for CVE-2026-0994 in release PR #34253.
  • The underlying vulnerability (GHSA-xq3m-2v4x-88gg) is a critical remote code execution flaw in protobuf.js, a JavaScript implementation of Google's Protocol Buffers with nearly 50 million weekly npm downloads.
  • The bug stems from unsafe dynamic code generation: the library builds JavaScript functions from protobuf schemas by concatenating strings and executing them via the Function() constructor, without validating schema-derived identifiers like message names.
  • An attacker supplying a malicious schema can inject arbitrary JavaScript code into the generated function, achieving RCE when the application processes messages using that schema.
  • The impact extends to servers and applications that load attacker-influenced schemas, granting access to environment variables, credentials, databases, and enabling lateral movement.
  • Endor Labs researcher Cristian Staicu reported the flaw on March 2; patches shipped April 4 (8.x branch) and April 15 (7.x branch). PoC exploit code has been published.
  • Fixed versions: protobuf.js 8.0.1 and 7.5.5. No active exploitation in the wild has been observed to date.

Why it matters for AI infrastructure

vLLM is the backbone of production LLM serving for thousands of organizations. If your vLLM deployment pulls in an unpatched protobuf.js dependency — directly or transitively — an attacker who can influence schema loading (e.g., via model metadata, configuration files, or inter-service RPC) could achieve remote code execution on your inference servers. AI infrastructure teams running vLLM should treat this as a priority patch.

What to do

  • Upgrade vLLM to the latest release that includes the protobuf.js patch (PR #34253).
  • Audit transitive dependencies across your AI stack for protobuf.js versions ≤ 8.0.0 / ≤ 7.5.4.
  • Treat schema loading as untrusted input — prefer precompiled or static schemas in production deployments.
  • If you run custom MCP servers or agent tooling built on Node.js, check your own dependency chains for protobuf.js.

Sources: