Cyera Finds 6 protobuf.js Flaws, Including RCE in 50 Million-Download Library
Updated
Updated · InfoWorld · Jun 8
Cyera Finds 6 protobuf.js Flaws, Including RCE in 50 Million-Download Library
1 articles · Updated · InfoWorld · Jun 8
Summary
Six vulnerabilities in protobuf.js let attackers abuse schema and metadata handling to trigger remote code execution, denial of service, prototype pollution and code injection, Cyera said.
CVE-2026-44291 is the most severe: attackers can poison schema-derived values so protobuf.js generates and executes malicious code via JavaScript’s Function() constructor inside Node.js.
A separate flaw, CVE-2026-44295, hits the pbjs CLI tool, where crafted schema names can be written into generated JavaScript and run later when those files are imported.
Versions 7.5.5 and earlier plus 8.0.0 and 8.0.1 are affected; fixes are in protobuf.js 7.5.6 and 8.0.2, while protobuf.js-cli users should move to 1.2.1 or 2.0.2.
The risk is amplified because protobuf.js is often a transitive dependency in gRPC and cloud tooling, making malicious schemas in CI/CD and software supply chains harder for organizations to spot.
With AI systems constantly exchanging data schemas, is the protobuf.js flaw the first of many new supply chain attacks?
A library used by Google Cloud has a major flaw. Can we trust dynamically generated code from any open-source library?
68 Million Weekly Downloads Exposed: Inside the 2026 `protobuf.js` Security Crisis
Overview
In June 2026, Cyera Research publicly disclosed multiple severe vulnerabilities in `protobuf.js`, the most widely used JavaScript runtime for Protocol Buffers. These flaws, assigned seven CVEs, allow attackers to perform Remote Code Execution, Denial of Service, Privilege Escalation, Prototype Pollution, and Code Injection. The vulnerabilities were first reported through GitHub Security Advisories in April 2026 and officially assigned in May. With nearly 69 million weekly downloads from npm, `protobuf.js` is deeply embedded in countless applications, making this incident a major threat to the global JavaScript ecosystem and highlighting the urgent need for immediate remediation.