Cybersecurity researchers have identified six vulnerabilities in protobuf.js, a widely used JavaScript and TypeScript implementation of Google’s Protocol Buffers, warning that affected systems may face risks ranging from denial of service attacks to remote code execution. The flaws, collectively named Proto6 by researchers, impact environments where protobuf.js is used to process schemas, descriptors, or serialized data without sufficient validation. According to security researchers at Cyera, even a single malicious protobuf schema or specially crafted payload may be enough to trigger application crashes, runtime instability, or arbitrary code execution in vulnerable systems. Protocol Buffers, commonly known as Protobuf, is an open source and language agnostic framework originally developed internally by Google before becoming publicly available in 2008. It has since become widely adopted for efficient structured data serialization across cloud applications, enterprise software, and messaging platforms.
Researchers stated that the vulnerabilities affect Node.js applications using protobuf.js, as well as software environments relying on Google Cloud client libraries, messaging frameworks such as Baileys, and automated development pipelines. According to Cyera, any Node.js service responsible for deserializing Protobuf data or generating code from schemas through protobuf.js may potentially be impacted. The vulnerabilities include several denial of service weaknesses and multiple risks related to code generation, prototype pollution, and unsafe schema handling. Identified flaws include CVE 2026 44289, which may enable denial of service through unbounded protobuf recursion, and CVE 2026 44290, which can reportedly crash processes when schemas are loaded using unsafe option paths. Researchers also highlighted CVE 2026 44291 as one of the most serious flaws because it may enable arbitrary code execution through prototype pollution mechanisms. Other issues include CVE 2026 44292 involving prototype injection, CVE 2026 44294 causing denial of service through specially crafted field names, and CVE 2026 44295, a code injection vulnerability affecting pbjs static output through manipulated schema names.
Cyera explained that the vulnerabilities largely originate from protobuf.js trusting schemas and metadata by default without sufficient validation safeguards. Researchers warned that while successful exploitation often depends on particular conditions, these conditions are increasingly common in modern technology ecosystems where data schemas, configuration files, and metadata are regularly exchanged between repositories, cloud platforms, artificial intelligence systems, and third party integrations. In one possible attack scenario, threat actors could insert malicious protobuf schemas into CI or CD workflows to compromise build environments and potentially expose sensitive secrets. Another risk highlighted by researchers involves crashing Node.js services such as WhatsApp bots developed using Baileys by sending specially crafted messages capable of triggering vulnerabilities in the application.
The most severe issue, CVE 2026 44291, reportedly enables remote code execution when attacker controlled input reaches a prototype pollution mechanism inside a Node.js application. Security researchers explained that protobuf.js resolves type names through standard property lookups, creating an opportunity for manipulated Object.prototype values to be interpreted as legitimate protobuf primitives. Once inserted into generated encoder or decoder functions and compiled through JavaScript Function() behavior, attackers may gain arbitrary code execution inside the affected Node.js process. Vulnerable versions include protobuf.js releases up to version 7.5.5 and versions between 8.0.0 and 8.0.1, along with protobufjs cli versions up to 1.2.0 and between 2.0.0 and 2.0.1. Security fixes have been released in protobuf.js versions 7.5.6 and 8.0.2 as well as protobufjs cli versions 1.2.1 and 2.0.2. Researchers advised organizations to update affected systems promptly, particularly as protobuf.js remains heavily integrated into databases, vector storage systems, cloud software development kits, orchestration platforms, inference pipelines, and enterprise artificial intelligence workloads where exploitation could affect operations at scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
