## Critical protobufjs RCE Flaw Patched Across OpenTelemetry Node.js Instrumentation Ecosystem A comprehensive security update has addressed nine vulnerabilities, including two critical-severity flaws, affecting multiple packages within the OpenTelemetry Node.js instrumentation ecosystem. The most severe issue involves protobufjs, where a schema compilation vulnerability allows attackers to inject arbitrary code into generated JavaScript functions through crafted bytes field default values, enabling remote code execution when processing malicious protobuf schemas. The affected packages include @opentelemetry/auto-instrumentations-node, @opentelemetry/sdk-node, @opentelemetry/exporter-trace-otlp-http, and @aws-sdk/xml-builder. These dependencies are widely deployed across production environments that rely on automatic instrumentation for distributed tracing and observability. In addition to the critical protobufjs remote code execution vector, the patch resolves prototype pollution vulnerabilities, denial-of-service conditions, and URI normalization bypass issues that could be chained to escalate privileges or exfiltrate data. Developers using the OpenTelemetry SDK for Node.js should upgrade immediately, though Aikido notes that breaking changes analysis is unavailable for four of the impacted packages. Organizations running automated dependency scanning should verify that protobufjs and related telemetry packages reflect the latest patched versions. The prevalence of these instrumentation libraries in cloud-native and microservices architectures means the attack surface extends beyond individual applications to the observability infrastructure itself. Security teams should audit transitive dependencies and ensure that any untrusted protobuf schemas processed by instrumented services are treated as potential execution vectors until the patch is confirmed deployed. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: protobufjs, RCE, CVE, opentelemetry, node.js - **Credibility**: unverified - **Published**: 2026-05-14 23:48:35 - **ID**: 83235 - **URL**: https://whisperx.ai/en/intel/83235