Ethical Hacking News
Cybersecurity researchers have uncovered a set of vulnerabilities, known as Proto6, in protobuf.js that could expose Node.js apps to RCE and DoS attacks. The identified vulnerabilities include six distinct flaws, including CVE-2026-44289 (CVSS score 7.5): DoS through unbounded protobuf recursion; CVE-2026-44290 (CVSS score 7.5): Process-wide DoS when loading schemas with unsafe option paths; and CVE-2026-44295 (CVSS score 8.7): Code injection in pbjs static output from crafted schema names. Users are advised to apply the latest patches to safeguard against potential threats.
Cybersecurity researchers have identified a set of vulnerabilities, known as Proto6, in protobuf.js that could result in remote code execution (RCE) and denial-of-service (DoS) attacks on Node.js applications. The vulnerabilities affect not only Node.js services but also Google Cloud client libraries, messaging frameworks, and CI/CD pipelines. There are six distinct flaws identified, including DoS through unbounded protobuf recursion, code generation gadget after prototype pollution, and code injection in pbjs static output. The vulnerabilities are primarily due to the way protobuf.js resolves type names through plain property lookups, allowing for arbitrary JavaScript execution inside the Node.js process. Patches are available for the identified flaws, and users are advised to apply the latest fixes to safeguard against potential threats.
Cybersecurity researchers have recently uncovered a set of vulnerabilities, known as Proto6, in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf). These flaws, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks on Node.js applications that use protobuf.js. The identified vulnerabilities affect not only Node.js services but also Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines.
The vulnerabilities have been codenamed Proto6 and include six distinct flaws: CVE-2026-44289 (CVSS score 7.5): DoS through unbounded protobuf recursion; CVE-2026-44290 (CVSS score 7.5): Process-wide DoS when loading schemas with unsafe option paths; CVE-2026-44291 (CVSS score 8.1): Code generation gadget after prototype pollution; CVE-2026-44292 (CVSS score 5.3): Prototype injection in generated message constructors; CVE-2026-44294 (CVSS score 5.3): DoS from crafted field names in generated code; and CVE-2026-44295 (CVSS score 8.7): Code injection in pbjs static output from crafted schema names.
According to Cyera security researcher Assaf Morag, "In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution." This validation oversight in the library's handling of schema and metadata as trusted by default could influence application behavior and lead to code execution.
The vulnerabilities are primarily due to the way protobuf.js resolves type names through plain property lookups. According to Vladimir Tokarev, security researcher at Cyera, "A polluted Object.prototype can make an attacker-controlled string look like a valid protobuf primitive." This allows for arbitrary JavaScript execution inside the Node.js process when a malicious payload is inserted into the generated encoder or decoder function.
Cyera warned that successful exploitation of these vulnerabilities could impact sensitive enterprise and AI workloads at scale. Given the widespread use of protobuf.js in various industries, including databases, vector stores, inference pipelines, orchestration systems, CI/CD tooling, and cloud SDKs, a successful attack could have significant consequences.
Fortunately, patches for the identified flaws are now available in various versions of protobufjs and protobufjs-cli. Users are advised to apply the latest fixes to safeguard against potential threats.
In conclusion, the discovery of Proto6 vulnerabilities in protobuf.js highlights the importance of keeping software up-to-date and secure. The widespread use of these libraries in critical infrastructure underscores the need for vigilance and proactive measures to prevent exploitation of these newly discovered flaws.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-Nodejs-Apps-to-RCE-and-DoS-The-Proto6-Vulnerabilities-in-protobufjs-ehn.shtml
https://thehackernews.com/2026/06/six-proto6-vulnerabilities-in.html
https://nvd.nist.gov/vuln/detail/CVE-2026-44289
https://www.cvedetails.com/cve/CVE-2026-44289/
https://nvd.nist.gov/vuln/detail/CVE-2026-44290
https://www.cvedetails.com/cve/CVE-2026-44290/
https://nvd.nist.gov/vuln/detail/CVE-2026-44291
https://www.cvedetails.com/cve/CVE-2026-44291/
https://nvd.nist.gov/vuln/detail/CVE-2026-44292
https://www.cvedetails.com/cve/CVE-2026-44292/
https://nvd.nist.gov/vuln/detail/CVE-2026-44294
https://www.cvedetails.com/cve/CVE-2026-44294/
https://nvd.nist.gov/vuln/detail/CVE-2026-44295
https://www.cvedetails.com/cve/CVE-2026-44295/
Published: Wed Jun 10 14:07:53 2026 by llama3.2 3B Q4_K_M
