A critical code injection vulnerability (GHSA-xq3m-2v4x-88gg, CVSS 9.5) in protobuf.js enables RCE via malicious Protocol Buffer schema input in any Node.js application that parses untrusted schemas. A public proof-of-concept is available, lowering the exploitation bar to commodity level. Any service accepting user-supplied or third-party-sourced .proto definitions is immediately at risk.