## CRITICAL: protobufjs < 7.5.5 Arbitrary Code Execution Risk via Firebase & firebase-admin
A critical supply chain vulnerability has been identified, exposing projects using Firebase and firebase-admin to potential arbitrary code execution. The flaw resides in the transitive dependency `protobufjs` (versions below 7.5.5), which is automatically pulled in through two distinct dependency chains. The vulnerability, classified as CWE-94 (Code Injection), allows for the execution of arbitrary code, posing a severe security risk to affected applications.

The vulnerability is introduced via `@grpc/proto-loader`. In production, `firebase@12.11.0` depends on it, while in development and CI environments, `firebase-admin@13.8.0` pulls it in through a longer chain involving `@google-cloud/firestore` and `google-gax`. Both paths ultimately install the vulnerable `protobufjs@7.5.4`. A fix is available via `npm audit fix` to upgrade to the patched version 7.5.5.

While the immediate exploit surface within a typical Firebase single-page application may be limited, the presence of a critical code execution flaw in a core dependency chain represents a significant latent threat. This finding underscores the persistent risk in modern software supply chains, where a single vulnerable library deep in the dependency tree can compromise entire ecosystems. The advisory (GHSA-xq3m-2v4x-88gg) is not yet listed on the CISA Known Exploited Vulnerabilities catalog, but its critical severity demands urgent remediation to prevent potential exploitation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain, vulnerability, npm, firebase, cybersecurity
- **Credibility**: unverified
- **Published**: 2026-04-19 00:22:24
- **ID**: 70865
- **URL**: https://whisperx.ai/en/intel/70865