Six vulnerabilities were detected in protobuf.js, a key library for Node.js, allowing remote code execution or denial of service. The problem is not just technical: the project maintainers are volunteers without funding, while giants like Google use it without contributing to its security.
Serialization flaws opening the door to attacks 🛡️
The vulnerabilities affect buffer manipulation and type validation in protobuf.js, allowing an attacker to send malformed messages that overflow memory or execute arbitrary code. The root of the problem lies in the lack of resources for continuous audits. Large companies depend on this library for critical systems, but do not invest in its maintenance, leaving security in the hands of a few unpaid developers.
Open source: where corporations ask but don't pay 💸
Google, Amazon, and others use protobuf.js to move data in their clouds, but when flaws appear, the patch is written by a volunteer between shifts at their real job. It's like asking your neighbor to watch your house for free, and when a thief breaks in, complaining they didn't put better locks. The citizen trusts systems held together with coffee and goodwill, while companies rake in millions.