Critical RCE in protobuf.js (GHSA-xq3m-2v4x-88gg): A Malicious Schema Is All It Takes

Endor Labs disclosed a CVSS 9.9 code-execution flaw in protobuf.js — the 52M-downloads-per-week JavaScript Protobuf library. Loading an attacker-controlled .proto schema is enough to run arbitrary code on the host. Here's the root cause, the one-line patch, and who's actually exposed.