← All articles

Six protobuf.js flaws let malicious schemas run code in Node.js apps

Researchers at Cyera have disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, a JavaScript and TypeScript library for Google's Protocol Buffers data format that sees more than 50 million downloads a week. The flaws stem from the library trusting schema and metadata by default, so a single malicious schema or crafted payload can crash a service, inject code, or lead to remote code execution. Cyera demonstrated real attacks including poisoning CI/CD pipelines to leak build secrets and crashing WhatsApp automation bots. Because protobuf.js is embedded across cloud services, AI platforms, and build systems, the reach is broad. Fixed versions are 7.5.6 and 8.0.2.

Check
Inventory applications and pipelines that depend on protobuf.js directly or transitively, and identify any that deserialize Protobuf data or generate code from schemas supplied by untrusted sources.
Affected
Node.js applications, cloud client libraries, CI/CD pipelines, and messaging frameworks using protobuf.js before 7.5.6 or 8.0.2 (CVEs include CVE-2026-44289, CVE-2026-44295) that process untrusted schemas.
Fix
Upgrade protobuf.js to 7.5.6 or 8.0.2 and protobufjs-cli to 1.2.1 or 2.0.2, and treat incoming schemas and descriptors as untrusted input rather than safe data.