Cyera Research Uncovers Six Protobuf.js Vulnerabilities Impacting the Backbone of Data and AI Systems

Assaf Morag
Cyera Research
Vladimir Tokarev
Jun 5, 2026
Share

Cyera researchers discovered and helped remediate six vulnerabilities in protobuf.js, including flaws that could lead to remote code execution (RCE) and denial-of-service (DoS) attacks.

If you're wondering why this matters, that's a fair question. Most of us rarely interact directly with protobuf.js. However, it is the most widely used JavaScript runtime for Protocol Buffers, a serialization format that powers communication across millions of applications, databases, cloud-native services, and AI systems. The package alone is downloaded more than 50 million times per week, with true adoption likely far higher due to its widespread inclusion as a dependency in countless software projects.

Key Findings

Cyera researchers discovered six vulnerabilities in protobuf.js. In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger crashes, runtime corruption, or even code execution.

The vulnerabilities affect Node.js applications that use protobuf.js, which is pulled in directly or transitively by gRPC tooling (@grpc/proto-loader), Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines. Any Node.js service that decodes protobuf data or generates code from schemas with protobuf.js is potentially in scope.

The vulnerabilities impact protobuf.js versions <= 7.5.5 and >= 8.0.0 <= 8.0.1, and protobufjs-cli versions <= 1.2.0 and >= 2.0.0 <= 2.0.1. Patches are available in protobufjs 7.5.6 / 8.0.2 and protobufjs-cli 1.2.1 / 2.0.2.

What is Protobuf?

Protocol Buffers are one of the most widely adopted mechanisms for moving structured data between applications. They sit behind cloud services, databases, AI pipelines, APIs, mobile applications, and distributed systems. In JavaScript environments, protobuf.js is the engine responsible for encoding and decoding that information, making it one of the most heavily deployed serialization libraries in the software ecosystem.

Because protobuf is designed to sit behind the scenes, most organizations are unaware of how many critical systems depend on it until something goes wrong.

The Vulnerabilities at a Glance

Although the six vulnerabilities differ in their technical details (read more about it here), they all stem from a similar underlying issue:

  • protobuf.js trusted certain pieces of data that should have been treated as potentially untrusted input.
  • Information that was intended to describe how data should be processed (such as schema definitions, field names, or configuration values) could, under certain circumstances, influence how the application behaved in unexpected ways.
  • This could lead to a range of outcomes, from application crashes to more severe scenarios involving code execution.

While exploitation of these vulnerabilities generally requires specific conditions, those conditions are increasingly common in data and AI ecosystems that routinely exchange data, schemas, and configuration files across services, repositories, cloud platforms, and third-party integrations.

Real-World Impact: From Messaging Bots to Software Supply Chains

Finding vulnerabilities in a widely used open-source component is one thing. Understanding what those vulnerabilities could mean in real-world environments is what truly matters. To evaluate the potential impact, we tested several realistic scenarios involving technologies that organizations use every day, from customer-facing automation platforms to cloud services and software delivery pipelines.

The same vulnerability can look very different depending on where protobuf.js is deployed. In one environment it may crash a service; in another it may affect a CI/CD pipeline. We tested several scenarios to understand how the impact changes across databases, software supply chains, cloud workloads, and messaging platforms.

One realistic attack scenario could target software supply chains. Development teams routinely accept code contributions, integrate third-party components, and automatically process files through CI/CD pipelines. We found that under certain conditions, a malicious protobuf schema could be introduced into this workflow and ultimately execute within trusted build environments. The significance of this finding is not limited to a single application. Build systems often have access to source code repositories, deployment credentials, cloud resources, signing certificates, and other highly sensitive assets. A compromise at this stage could allow attackers to move far beyond the initial project and potentially affect downstream products, customers, and business operations.

The risks extend beyond applications and into the data platforms many organizations rely on every day. Many databases, data platforms, and analytics systems exchange information using Protocol Buffers, and the Node.js services and client SDKs that sit in front of them often decode that traffic with protobuf.js. In these environments, protobuf is treated as a trusted layer of infrastructure and receives far less scrutiny than external-facing applications.

Where those Node.js services decode untrusted protobuf with an affected version, a malicious payload could crash them, stall data-processing pipelines, or take backend operations offline. In large-scale environments where hundreds of services continuously exchange information, even a localized failure can cascade into broader issues affecting availability and reliability.

AI systems were particularly interesting because protobuf appears throughout the pipeline, and several of the Node.js clients that touch it run protobuf.js directly: the Milvus vector-database SDK, the Temporal TypeScript orchestration SDK, and OpenTelemetry's JavaScript exporters all ship it. Where one of those clients decodes attacker-influenced protobuf, the same failure could interrupt data ingestion, break retrieval, delay inference, or affect the services around a production AI deployment.

Another striking example involved WhatsApp automation platforms. We demonstrated that a specially crafted message could cause popular WhatsApp bot frameworks to repeatedly crash. The impact extends beyond a simple service interruption. Because the malicious message remains stored in the conversation history, affected bots could enter a persistent failure loop, crashing again each time they restart and attempt to process the message. For organizations that rely on messaging bots for customer service, sales, support, or business operations, a single malicious interaction could potentially disrupt an entire communication channel.

Summary and Mitigation

The six vulnerabilities Cyera researchers discovered affect core protobuf.js operations including schema loading, code generation, object handling, encoding, decoding, and descriptor parsing. Because protobuf.js is heavily used inside databases, vector stores, inference pipelines, orchestration systems, CI/CD tooling, and cloud SDKs, successful exploitation could impact sensitive enterprise and AI workloads at scale.

The lesson from this research extends beyond protobuf.js. Modern software increasingly treats schemas, metadata, and configuration files as trusted inputs that drive automation, orchestration, and code generation. When those trust assumptions break, data can become behavior. That shift creates new attack surfaces that security teams must learn to identify and manage.

Immediate action items:

  • Update protobufjs and protobufjs-cli to patched versions, and audit both direct and transitive dependencies.
  • Prioritize internet-facing gRPC, API, WebSocket, and message-queue services that decode untrusted protobuf payloads, especially for CVE-2026-44289 DoS risk.
  • Review prototype pollution exposure across co-installed npm packages, as it can be chained with CVE-2026-44291 and the descriptor typeName issue into RCE.
  • Treat protobuf schemas, descriptors, and schema registries as untrusted input; validate .proto, JSON descriptor, and FileDescriptorSet sources before loading them.
  • Harden CI/CD pipelines using pbjs. Pin versions, verify schema integrity, and avoid generating static code from untrusted schemas.

How Cyera Can Help

Cyera helps organizations identify and reduce risk across modern cloud, AI, and data environments where protobuf-based communication and dynamic schema handling are deeply embedded.
Cyera provides visibility into sensitive data flows, AI pipelines, cloud services, and distributed systems that may be exposed to vulnerable libraries, insecure dependencies, or unsafe schema-loading patterns.

Using Cyera, organizations can identify high-risk services handling sensitive protobuf traffic, detect exposed secrets and AI-related data, monitor risky integrations across cloud-native environments, and reduce blast radius in the event of runtime compromise or supply chain attacks.

Cyera also helps security teams understand where sensitive enterprise and AI data resides, how it moves between systems, and which workloads could be impacted by vulnerabilities in serialization layers, gRPC infrastructure, vector databases, or AI orchestration pipelines.

Get the full report

Share

Table of Contents

Heading 2
Get your AI Security Assessment

See how prepared your organization is for AI.

Assess your AI Security

Related resources

May 15, 2026

Claw Chain: Cyera Research Unveil Four Chainable Vulnerabilities in OpenClaw

May 5, 2026

Bleeding Llama: A Critical Memory Leak in the World's Most Popular Local AI Platform

April 29, 2026

A 15-Year Gap in SSH Security - And What to Do About It

Secure
the unknown

Book a demo