The point: protobuf.js handles schema metadata insecurely and allows attackers to execute code in Node.js processes through manipulated data.
The widely used JavaScript implementation of Google’s Protocol Buffers contains six security vulnerabilities that enable remote code execution and additional attacks. The vulnerability disclosed by Cyera researchers affects a library with over 50 million weekly downloads.
Cyera researchers have disclosed six CVEs against the protobuf.js library resulting from insufficient input validation in schema and metadata processing. The vulnerabilities enable remote code execution, denial-of-service, prototype pollution, prototype injection, and code generation errors. The library is downloaded over 50 million times weekly and is often integrated indirectly through dependencies such as gRPC tools, Google Cloud libraries, and other frameworks, making it difficult for organizations to track its presence.
The most critical vulnerability (CVE-2024-44291) affects dynamic code generation: protobuf.js creates encoder and decoder functions by using JavaScript’s Function() constructor. An attacker can manipulate schema-derived information so that data structure metadata becomes executable code. Cyera researchers Assaf Morag and Vladimir Tokarev demonstrated an attack chain in which prototype pollution causes protobuf.js to accept attacker-controlled values as legitimate protobuf types and then execute them in the generated code. A related code injection flaw (CVE-2024-44295) in the pbjs command-line tool allows injecting malicious schema names into generated JavaScript files that are later executed upon import.
Successful exploitation requires specific preconditions — such as the ability to influence protobuf schemas or descriptors. In modern data and AI ecosystems that routinely exchange schemas, descriptors, and configuration files across services, repositories, cloud platforms, and third-party integrations, these conditions are increasingly present. The remaining CVEs (CVE-2024-44292, CVE-2024-44289, CVE-2024-44290, CVE-2024-44294) concern less critical prototype injection and DoS issues.
The library is frequently consumed as a transitive dependency, meaning organizations could be exposed without knowing the library is in their stack. Since schemas flow through automated CI/CD pipelines, malicious schemas can enter workflows and ultimately be executed. Patches are available for protobuf.js and the CLI tool protobuf.js-cli.
Source: www.csoonline.com · Published June 8, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.