Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks.
“In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution,” Cyera security researcher Assaf Morag said. The vulnerabilities have been codenamed Proto6.
Protobuf is a free and open-source, language-agnostic mechanism for serializing structured data. It was originally developed and used internally by Google before it was made publicly available in 2008.
The identified vulnerabilities affect Node.js applications that use protobuf.js, Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines. Per Cyera, any Node.js service that deserializes Protobuf data or generates code from schemas with protobuf.js is likely impacted as well.
A brief description of each of the flaws is below –
- CVE-2026-44289 (CVSS score: 7.5): DoS through unbounded protobuf recursion
- CVE-2026-44290 (CVSS score: 7.5): Process-wide DoS when loading schemas with unsafe option paths
- CVE-2026-44291 (CVSS score: 8.1): Code generation gadget after prototype pollution
- CVE-2026-44292 (CVSS score: 5.3): Prototype injection in generated message constructors
- CVE-2026-44294 (CVSS score: 5.3): DoS from crafted field names in generated code
- CVE-2026-44295 (CVSS score: 8.7): Code injection in pbjs static output from crafted schema names
Cyera said all the vulnerabilities stem from the library’s handling of schema and metadata as trusted by default. This validation oversight could influence application behavior and lead to code execution.
“While exploitation of these vulnerabilities generally requires specific conditions, those conditions are increasingly common in data and AI ecosystems that routinely exchange data, schemas, and configuration files across services, repositories, cloud platforms, and third-party integrations,” Morag noted.
In a potential attack scenario, a bad actor could introduce a malicious protobuf schema to poison CI/CD workflows, leaking build secrets in the process (CVE-2026-44295), or crash Node.js services such as WhatsApp bots built using Baileys, a WhatsApp Web API automation TypeScript library, by means of a specially crafted message (CVE-2026-44292).
The most severe of the lot is CVE-2026-44291, which results in code execution when a Node.js application accepts attacker-controlled input.
“That input reaches a prototype pollution gadget,” security researcher Vladimir Tokarev explained. “Later, the same process uses protobuf.js to encode or decode a message. Because protobuf.js resolves type names through plain property lookups, a polluted Object.prototype can make an attacker-controlled string look like a valid protobuf primitive.”
“Protobuf.js then inserts that string into a generated encoder or decoder function and compiles it with Function(). The attacker gets arbitrary JavaScript execution inside the Node.js process.”
The following versions of the tool are vulnerable –
- protobuf.js: versions <= 7.5.5 and >= 8.0.0 <= 8.0.1
- protobufjs-cli: versions <= 1.2.0 and >= 2.0.0 <= 2.0.1
Patches for the flaws are available in protobufjs 7.5.6 and 8.0.2, and protobufjs-cli 1.2.1 and 2.0.2. Users are advised to apply the latest fixes to safeguard against potential threats.
“Because protobuf.js is heavily used inside databases, vector stores, inference pipelines, orchestration systems, CI/CD tooling, and cloud SDKs, successful exploitation could impact sensitive enterprise and AI workloads at scale,” Cyera said.
“Modern software increasingly treats schemas, metadata, and configuration files as trusted inputs that drive automation, orchestration, and code generation. When those trust assumptions break, data can become behavior. That shift creates new attack surfaces that security teams must learn to identify and manage.”
