Cybersecurity researchers from **Cyera** have unveiled half a dozen vulnerabilities within **protobuf.js**, the widely used JavaScript and TypeScript implementation of **Protocol Buffers** (**Protobuf**). Successful exploitation of these flaws, collectively codenamed **Proto6**, could lead to severe consequences, including remote code execution (RCE) and denial-of-service (DoS) attacks. **Assaf Morag**, a security researcher at **Cyera**, highlighted the potential impact: “In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution.” **Protobuf** is an open-source, language-agnostic mechanism for serializing structured data, initially developed and utilized internally by **Google** before its public release in 2008. ### Widespread Impact Across Node.js and Cloud Environments The identified vulnerabilities primarily affect **Node.js** applications leveraging **protobuf.js**, along with **Google Cloud** client libraries, messaging frameworks such as **Baileys**, and CI/CD pipelines. **Cyera** warns that any **Node.js** service that deserializes **Protobuf** data or generates code from schemas with **protobuf.js** is likely at risk. ### The Proto6 Vulnerabilities Explained The six vulnerabilities are detailed as follows: * **CVE-2026-44289** (CVSS score: 7.5): DoS through unbounded protobuf recursion. * **CVE-2026-44290** (CVSS score: 7.5): Process-wide DoS when loading schemas with unsafe option paths. * **CVE-2026-44291** (CVSS score: 8.1): Code generation gadget after prototype pollution. * **CVE-2026-44292** (CVSS score: 5.3): Prototype injection in generated message constructors. * **CVE-2026-44294** (CVSS score: 5.3): DoS from crafted field names in generated code. * **CVE-2026-44295** (CVSS score: 8.7): Code injection in pbjs static output from crafted schema names. **Cyera** attributes these vulnerabilities to the library's default assumption that schema and metadata inputs are trusted. This critical validation oversight can manipulate application behavior, potentially leading to code execution. ### Attack Scenarios **Morag** emphasized that while exploitation requires specific conditions, these are increasingly common in modern data and AI ecosystems that frequently exchange data, schemas, and configuration files across various services and platforms. An attacker could inject a malicious **protobuf** schema to compromise CI/CD workflows, leading to the leakage of build secrets (**CVE-2026-44295**). Alternatively, a specially crafted message could crash **Node.js** services, such as **WhatsApp** bots built using **Baileys** (**CVE-2026-44292**). ### The Most Severe Flaw: CVE-2026-44291 The most critical vulnerability, **CVE-2026-44291**, enables code execution when a **Node.js** application processes attacker-controlled input. **Vladimir Tokarev**, another security researcher, explained the mechanism: “That input reaches a prototype pollution gadget. Later, the same process uses **protobuf.js** to encode or decode a message. Because **protobuf.js** resolves type names through plain property lookups, a polluted **Object.prototype** can make an attacker-controlled string look like a valid **protobuf** primitive.” He added, “**Protobuf.js** then inserts that string into a generated encoder or decoder function and compiles it with **Function()**. The attacker gets arbitrary JavaScript execution inside the **Node.js** process.” ### Affected Versions and Patches The following versions of the tool are vulnerable: * **protobuf.js**: versions <= 7.5.5 and >= 8.0.0 <= 8.0.1 * **protobufjs-cli**: versions <= 1.2.0 and >= 2.0.0 <= 2.0.1 Patches are available in **protobufjs** versions 7.5.6 and 8.0.2, and **protobufjs-cli** versions 1.2.1 and 2.0.2. Users are strongly advised to apply these updates immediately to mitigate potential threats. ### A New Attack Surface for AI Workloads **Cyera** concluded by underscoring the broad implications: “Because **protobuf.js** is heavily used inside databases, vector stores, inference pipelines, orchestration systems, CI/CD tooling, and cloud SDKs, successful exploitation could impact sensitive enterprise and AI workloads at scale.” This incident highlights a growing trend where “Modern software increasingly treats schemas, metadata, and configuration files as trusted inputs that drive automation, orchestration, and code generation. When those trust assumptions break, data can become behavior. That shift creates new attack surfaces that security teams must learn to identify and manage.”