Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks. "In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger

According to public reporting, researchers disclosed six vulnerabilities in protobuf.js, including multiple flaws that allow attacker-controlled protobuf schemas, descriptors, or crafted payloads to be turned into executable JavaScript, leading to remote code execution and denial-of-service in Node.js and related environments.[2] Several CVEs involve dynamic code generation, prototype pollution, and code injection in both the runtime library and its CLI tooling, with patches released in newer protobuf.js and protobuf.js-cli versions.[1][2] From a CyberSE.AI perspective, any AI stack or agent platform that relies on Node.js services using protobuf.js (directly or via transitive dependencies such as gRPC or Firebase) inherits these software supply chain risks, including potential RCE inside back-end microservices that serve or orchestrate AI models.[1][3] Organizations should treat protobuf.js as a critical dependency in their AI SBOM, urgently patch affected versions, and implement robust dependency governance (pinning, automated SBOM generation, continuous vuln monitoring) for all AI-related services that parse protobuf schemas or run protobuf-based build and codegen pipelines.[1][