Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Researchers disclosed six vulnerabilities in the widely used protobuf.js library (Proto6) that can be chained or exploited independently to achieve remote code execution and denial-of-service against applications that parse attacker-controlled Protocol Buffers; the flaws (prototype pollution, type confusion, integer overflow, unsafe eval usage, unchecked recursion, and schema injection) present a significant supply-chain risk for Node.js/gRPC environments and organizations are advised to validate inputs, avoid dynamic schema loading, disable dynamic message generation where possible, apply patches when released, and isolate services that process untrusted Protobuf data.