Security researchers have disclosed six vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers, that could allow remote code execution or denial of service in affected Node.js applications. The issues, dubbed Proto6, affect versions used in cloud libraries, messaging tools, and CI/CD pipelines.
KEY FACTS
- Scope The flaws affect Node.js services that deserialize Protobuf data or generate code from schemas with protobuf.js.
- Severity The six CVEs range from CVSS 5.3 to 8.7.
- Highest risk CVE-2026-44295 and CVE-2026-44291 can lead to code execution in some conditions.
- Fixes Patches are available in protobufjs 7.5.6, 8.0.2, protobufjs-cli 1.2.1, and 2.0.2.
A technical analysis from Cyera said the flaws stem from protobuf.js treating schema and metadata as trusted by default. The report said a single malicious protobuf schema, descriptor, or crafted payload could trigger crashes, runtime corruption, or code execution in affected environments.
The six issues are tracked as CVE-2026-44289, CVE-2026-44290, CVE-2026-44291, CVE-2026-44292, CVE-2026-44294, and CVE-2026-44295. The report said the vulnerabilities affect protobuf.js versions 7.5.5 and earlier, and versions 8.0.0 through 8.0.1, along with protobufjs-cli versions 1.2.0 and earlier, and 2.0.0 through 2.0.1.
The most severe flaw, CVE-2026-44291, can lead to arbitrary JavaScript execution when attacker-controlled input reaches a prototype pollution gadget and later passes through protobuf.js encoding or decoding. Another issue, CVE-2026-44295, could expose secrets in CI/CD workflows if a malicious schema is introduced into static code generation.
Cyera said the affected software is widely used in databases, vector stores, inference pipelines, orchestration systems, cloud SDKs, and messaging frameworks. The company recommended applying the patched releases to reduce exposure across Node.js services and related automation tooling.
WHY IT MATTERS
The findings show how trusted schemas and metadata can become an attack path in automated software pipelines. In environments that exchange code, configuration, and data across services, the flaws could affect both application availability and the security of generated code.