Cyera Research has disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, the dominant JavaScript/TypeScript implementation of Protocol Buffers. The package draws more than 50 million downloads a week and rides into stacks transitively far more often than directly: through @grpc/proto-loader, Google Cloud client libraries, the Milvus vector-database SDK, the Temporal TypeScript SDK, OpenTelemetry’s JS exporters, and messaging frameworks like Baileys. If a Node.js service decodes protobuf it did not author, or generates code from a .proto schema, it is almost certainly in scope.

The throughline across all six bugs: protobuf.js trusts schema definitions, descriptors, field names, and options as if they were code-signed, when in practice those inputs increasingly arrive from registries, repos, third-party integrations, and over the wire. Cyera’s framing is the part worth pinning to the wall — “data can become behavior.”

The six CVEs

  • CVE-2026-44291 (CVSS 8.1) — Code-generation gadget reachable after prototype pollution. The RCE primitive.
  • CVE-2026-44295 (CVSS 8.7) — Code injection in pbjs static output from crafted schema names. The highest-scored of the set.
  • CVE-2026-44289 (CVSS 7.5) — DoS via unbounded protobuf recursion.
  • CVE-2026-44290 (CVSS 7.5) — Process-wide DoS when loading schemas with unsafe option paths.
  • CVE-2026-44292 (CVSS 5.3) — Prototype injection in generated message constructors.
  • CVE-2026-44294 (CVSS 5.3) — DoS from crafted field names in generated code.

The RCE chain

CVE-2026-44291 is the one to understand. protobuf.js resolves type names through plain JavaScript property lookups against objects with inherited prototypes. If something else in the process has already polluted Object.prototype — a common gadget in the npm dependency soup — an attacker-controlled string can be made to resolve as a legitimate protobuf primitive. protobuf.js then splices that string into a generated encoder/decoder function and compiles it with Function(). The result is arbitrary JavaScript execution inside the Node.js process. Prototype pollution on its own is usually a shrug; here it is the on-ramp to code execution, which is why you should treat any co-installed prototype-pollution finding as RCE-adjacent if protobuf.js is in the tree.

The CI/CD angle

CVE-2026-44295 lands squarely on build pipelines. Teams run pbjs to generate static code from .proto files, and those schemas routinely flow in from pull requests, vendored components, and schema registries. A malicious schema name can inject code into the generated output, which then executes inside the build. Build systems hold the keys to everything downstream — source repos, deployment credentials, cloud roles, signing certificates — so a schema that “just generates some code” can become a supply-chain pivot point. This is a vulnerability, not an in-the-wild package compromise, but it is exactly the class of bug that enables one.

Who is affected

Vulnerable: protobuf.js <= 7.5.5 and >= 8.0.0 <= 8.0.1; protobufjs-cli <= 1.2.0 and >= 2.0.0 <= 2.0.1. Because adoption is overwhelmingly transitive, your package.json is a poor guide — check the lockfile. The DoS bugs (notably CVE-2026-44289) matter most for internet-facing gRPC, API, WebSocket, and message-queue services that decode untrusted payloads; a single crafted message can crash a service, and because protobuf bots persist the offending message, some frameworks enter a restart-crash loop. There are no reports of active exploitation as of this writing.

What to do now

Patches are out: upgrade to protobufjs 7.5.6 or 8.0.2, and protobufjs-cli 1.2.1 or 2.0.2. Then:

  • Audit direct and transitive dependencies — npm ls protobufjs across your services.
  • Prioritize edge services that decode untrusted protobuf for the DoS fixes.
  • Review co-installed prototype-pollution exposure that could chain into CVE-2026-44291.
  • Treat .proto files, JSON descriptors, and FileDescriptorSet sources as untrusted input; validate before loading.
  • Harden pbjs usage in CI: pin versions, verify schema integrity, and stop generating static code from untrusted schemas.

Read the disclosure: Cyera’s Proto6 writeup and the technical deep-dive.