"In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution," Cyera security researcher Assaf Morag warned.
The Proto6 flaws and the CVEs
Cybersecurity researchers cataloged six vulnerabilities—collectively codenamed Proto6—in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers. The defects carry six CVE identifiers and a range of severity scores (CVSS):
- CVE-2026-44289 (CVSS 7.5): denial-of-service via unbounded protobuf recursion.
- CVE-2026-44290 (CVSS 7.5): process-wide DoS when loading schemas with unsafe option paths.
- CVE-2026-44291 (CVSS 8.1): code generation gadget exploitable after prototype pollution.
- CVE-2026-44292 (CVSS 5.3): prototype injection in generated message constructors.
- CVE-2026-44294 (CVSS 5.3): DoS from crafted field names in generated code.
- CVE-2026-44295 (CVSS 8.7): code injection in pbjs static output from crafted schema names.
How exploitation can play out in real systems
Cyera’s advisory outlines concrete attack scenarios. An adversary who can supply a malicious protobuf schema to a build pipeline could poison CI/CD workflows and, in the process, exfiltrate build secrets via CVE-2026-44295. Separately, a specially crafted message could crash Node.js services such as WhatsApp bots implemented with the Baileys TypeScript library through CVE-2026-44292.
Cyera emphasized that "any Node.js service that deserializes Protobuf data or generates code from schemas with protobuf.js is likely impacted." The company named additional affected touchpoints: Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines. Because protobuf.js is widely embedded, Cyera warned that successful exploitation "could impact sensitive enterprise and AI workloads at scale."
Why protobuf.js was susceptible
All six flaws stem from a common root: the library treats schema and metadata as trusted by default, leaving insufficient validation. That trust assumption opens paths from data to behavior.
The most dangerous chain described is prototype pollution leading to code execution (CVE-2026-44291). As security researcher Vladimir Tokarev explained, attacker-controlled input can reach "a prototype pollution gadget." If an attacker can pollute Object.prototype, protobuf.js may resolve type names through plain property lookups and mistake attacker-controlled strings for valid protobuf primitives. Protobuf.js then inserts the string into a generated encoder or decoder and compiles it with Function(), granting "arbitrary JavaScript execution inside the Node.js process."
Affected releases and available patches
Cyera published precise version ranges. The vulnerable releases include protobuf.js versions <= 7.5.5 and >= 8.0.0 <= 8.0.1, and protobufjs-cli versions <= 1.2.0 and >= 2.0.0 <= 2.0.1. Patches are available: protobufjs 7.5.6 and 8.0.2, and protobufjs-cli 1.2.1 and 2.0.2. Users were advised to apply these fixes to safeguard services that ingest schemas, decode Protobuf messages, or generate code with protobuf.js.
What this means for security teams, cloud providers, and developers
- Security teams and DevOps: identify any Node.js services or pipelines that deserialize Protobuf data or run pbjs-generated code; prioritize updates to the patched protobufjs and protobufjs-cli releases and scan repositories for untrusted schema inputs.
- Cloud providers and SDK maintainers: review client libraries and SDKs that embed protobuf.js for the vulnerable versions and push or document fixes, given Cyera’s callout of Google Cloud client libraries as impacted.
- Developers and CI/CD owners: treat schemas, metadata, and configuration files as untrusted inputs in automation workflows. Cyera’s advisory stresses that "modern software increasingly treats schemas, metadata, and configuration files as trusted inputs that drive automation, orchestration, and code generation," and that when those assumptions fail, "data can become behavior."
Cyera’s findings expose a tension in modern software: convenience and automation depend on treating structured metadata as authoritative, but that same design can convert a piece of data into an active exploit. The fixes are released and straightforward to apply, but the advisory serves as a reminder that libraries which synthesize code or execute generated functions deserve additional scrutiny when they accept external schemas or metadata.
