Six protobuf.js Vulnerabilities Enable RCE and DoS in Node.js Applications
What Happened — Researchers identified six critical flaws in protobuf.js, the JavaScript/TypeScript implementation of Google’s Protocol Buffers. A malicious protobuf schema, descriptor, or crafted payload can trigger remote code execution (RCE) or denial‑of‑service (DoS) in any Node.js application that deserializes untrusted data using the library.
Why It Matters for TPRM
- The library is a common third‑party component in SaaS, cloud‑native, and internal tooling stacks; a breach can cascade to multiple downstream customers.
- RCE provides attackers full control of the host process, potentially exposing sensitive data and compromising service integrity.
- DoS can disrupt critical business services, leading to financial loss and reputational damage.
Who Is Affected — Technology SaaS providers, cloud‑hosted platforms, API providers, and any organization that runs Node.js applications relying on protobuf.js (including indirect dependencies).
Recommended Actions —
- Conduct an inventory of all applications and services that include protobuf.js, directly or via transitive dependencies.
- Upgrade immediately to the patched version released by the maintainers (or apply any interim mitigations they provide).
- Enforce strict schema validation and avoid deserializing untrusted protobuf data whenever possible.
Technical Notes — The flaws arise from unsafe handling of protobuf descriptors and crafted payloads, allowing arbitrary memory writes and infinite loops that lead to RCE or DoS. No CVE identifiers have been assigned yet; patches are available on the project's GitHub repository. Source: https://thehackernews.com/2026/06/six-proto6-vulnerabilities-in.html