Full Report
Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks. "In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger
Analysis Summary
# Vulnerability: "Proto6" — Multiple Vulnerabilities in protobuf.js
## CVE Details
This research covers six distinct vulnerabilities collectively known as **Proto6**:
- **CVE-2026-44295**: CVSS **8.7** (High/Critical) – Code injection in pbjs static output.
- **CVE-2026-44291**: CVSS **8.1** (High) – Code generation gadget via prototype pollution.
- **CVE-2026-44289**: CVSS **7.5** (High) – DoS via unbounded recursion.
- **CVE-2026-44290**: CVSS **7.5** (High) – Process-wide DoS via unsafe option paths.
- **CVE-2026-44292**: CVSS **5.3** (Medium) – Prototype injection in message constructors.
- **CVE-2026-44294**: CVSS **5.3** (Medium) – DoS from crafted field names.
- **CWE**: CWE-94 (Code Injection), CWE-1321 (Prototype Pollution), CWE-674 (Uncontrolled Recursion).
## Affected Systems
- **Products**: Node.js applications using `protobuf.js`, `protobufjs-cli`, Google Cloud client libraries, messaging frameworks (e.g., Baileys WhatsApp API), and CI/CD pipelines.
- **Versions**:
- `protobuf.js`: Versions `< 7.2.4`, `7.2.5` to `< 7.5.6`, and `8.0.0` to `8.0.1`.
- `protobufjs-cli`: Versions `<= 1.2.0` and `2.0.0` to `2.0.1`.
- **Configurations**: Applications that deserialize untrusted Protobuf data, load external schemas/descriptors, or use the `pbjs` tool for static code generation.
## Vulnerability Description
The flaws stem from `protobuf.js` treating schemas and metadata as **trusted by default**.
- **RCE Workflow (CVE-2026-44291):** If an application is vulnerable to prototype pollution, an attacker can pollute `Object.prototype`. Because the library resolves type names using plain property lookups, it can be tricked into treating an attacker-controlled string as a valid primitive. This string is then inserted into a generated encoder/decoder function and executed via `Function()`.
- **DoS Workflow:** Triggered through unbounded recursion in nested messages or by providing malicious field names/paths that crash the Node.js runtime.
## Exploitation
- **Status**: PoC existence mentioned/available (Research by Cyera and Vladimir Tokarev). No confirmed "in-the-wild" active exploitation reported yet, but highly feasible.
- **Complexity**: Medium (Requires specific conditions like prototype pollution or the ability to provide a custom schema).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: **High** (RCE allows full system access; secret leakage in CI/CD).
- **Integrity**: **High** (Arbitrary code execution and runtime corruption).
- **Availability**: **High** (Multiple vectors for process-wide Denial of Service).
## Remediation
### Patches
Update to the following versions or higher:
- **protobufjs**: 7.5.6 or 8.0.2
- **protobufjs-cli**: 1.2.1 or 2.0.2
### Workarounds
- Validate all incoming Protobuf schemas and descriptors before processing.
- Implement strict input validation to prevent prototype pollution at the application boundary.
- Sanitize data used in CI/CD pipelines to prevent malicious schema injection.
## Detection
- **Indicators of Compromise**: Unexpected crashes in Node.js services; unusual CPU spikes during deserialization; unauthorized access to CI/CD environment variables.
- **Detection Methods**:
- Use Software Composition Analysis (SCA) tools to identify vulnerable versions of `protobuf.js`.
- Audit logs for unexpected `Function()` calls or prototype pollution attempts.
## References
- Cyera Research: hxxps://www.cyera[.]com/blog/cyera-research-uncovers-six-protobuf-js-vulnerabilities-impacting-the-backbone-of-data-and-ai-systems
- Technical Breakdown: hxxps://www.cyera[.]com/research/proto6-the-schema-was-not-supposed-to-run
- Project Homepage: hxxps://protobuf[.]dev/