Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Staff Editor 2026-06-10
Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

https://thehackernews.com/2026/06/six-proto6-vulnerabilities-in.html

Publish Date: 2026-06-10 01:08:00

Source Domain: thehackernews.com

Ravie LakshmananJun 10, 2026Vulnerability / JavaScript

Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks.

“In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution,” Cyera security researcher Assaf Morag said. The vulnerabilities have been codenamed Proto6.

Protobuf is a free and open-source, language-agnostic mechanism for serializing structured data. It was originally developed and used internally by Google before it was made publicly available in 2008.

The identified vulnerabilities affect Node.js applications that use protobuf.js, Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines. Per Cyera, any Node.js service that deserializes Protobuf data or generates code from schemas with protobuf.js is likely impacted as well.

A brief description of each of the flaws is below –

  • CVE-2026-44289 (CVSS score: 7.5): DoS through unbounded protobuf recursion
  • CVE-2026-44290 (CVSS score: 7.5): Process-wide DoS when loading schemas with unsafe option paths
  • CVE-2026-44291 (CVSS score: 8.1): Code generation gadget after prototype pollution
  • CVE-2026-44292 (CVSS score: 5.3): Prototype injection in generated message constructors
  • CVE-2026-44294 (CVSS score: 5.3): DoS from crafted field names in generated code
  • CVE-2026-44295 (CVSS score: 8.7): Code injection in pbjs static output from crafted schema names

Cyera said all the vulnerabilities stem from the library’s handling of schema and metadata as trusted by default. This validation oversight could influence application behavior and lead to code execution.

“While exploitation of these vulnerabilities generally requires specific conditions,…

Source

More Stories

CrowdStrike warns of increasing Chinese AI cyberattacks on U.S. tech

CrowdStrike warns of increasing Chinese AI cyberattacks on U.S. tech

Staff Editor 2026-06-10
Cybersecurity is community security – eJewishPhilanthropy

Cybersecurity is community security – eJewishPhilanthropy

Staff Editor 2026-06-10
Belgian cybersecurity unicorn Aikido Security tops latest Sifted ranking

Belgian cybersecurity unicorn Aikido Security tops latest Sifted ranking

Staff Editor 2026-06-10

Terms and Conditions - Privacy Policy