220 Million Monthly Downloads. Six Vulnerabilities. The protobuf.js Supply Chain.

The Library Behind the Frameworks

protobuf.js is the JavaScript and TypeScript implementation of Google's Protocol Buffers — the serialization format used across microservices, gRPC, and data pipelines. It receives 220 million monthly npm downloads. Cyera researchers disclosed six vulnerabilities, codenamed Proto6, enabling remote code execution and denial of service in any Node.js application that processes attacker-influenced protobuf schemas.

The most severe vulnerability (CVE-2026-44291) chains prototype pollution into protobuf.js's type resolution, causing it to compile attacker-controlled strings via Function() — achieving arbitrary JavaScript execution. Exploit code for CVE-2026-41242 is publicly available.

220M

Monthly npm downloads

Source: npm registry. protobuf.js is a foundational dependency across the Node.js ecosystem.

CVEs disclosed

Source: Cyera research (Proto6). Including CVE-2026-44291 (RCE via prototype pollution), CVE-2026-44295 (code injection in pbjs), CVE-2026-41242 (critical RCE, public exploit).

Which Frameworks Are Exposed

Any Node.js framework that uses protobuf.js for API serialization, gRPC communication, or data validation is in the blast radius. This includes Next.js applications using gRPC backends, Nuxt.js services with protobuf-based APIs, and any Express/Fastify microservice handling Protocol Buffer messages. The vulnerability is in the schema processing layer — if the application accepts protobuf definitions from external sources, it's exploitable.

The CI/CD angle is equally concerning. CVE-2026-44295 enables code injection through crafted schema names in pbjs static output. A malicious protobuf schema introduced into a build pipeline can leak build secrets. This turns a serialization library into a supply chain weapon.

≤7.5.5 and 8.0.0–8.0.1

Vulnerable versions

Source: protobuf.js advisory. Patches available in 7.5.6 and 8.0.2. Applications must update the dependency explicitly.

The Dependency Depth Problem

protobuf.js is rarely a direct dependency in web applications. It's pulled in transitively — through gRPC libraries, through Google Cloud client libraries, through internal tooling. Most teams running vulnerable versions don't know protobuf.js is in their dependency tree. This is the supply chain pattern WebPulse tracks: the vulnerability isn't in the framework you chose but in the library your library depends on.

Modern frameworks with smaller dependency trees have less exposure. Astro applications that don't use gRPC are unaffected. FastAPI (Python) uses its own protobuf implementation. The JavaScript ecosystem's dependency depth — where a single npm install can pull 800+ transitive packages — is itself a security dimension. WebPulse's supply chain scoring reflects this: frameworks with fewer transitive dependencies carry less hidden risk.

8.7

CVSS score (highest)

Source: NVD. CVE-2026-44295 rated 8.7 (High). The RCE chain through prototype pollution makes the real-world impact critical for affected applications.