protobufjs-cli CVE-2026-42290
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
Impact
An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.
This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
Preconditions
- The application or user must invoke
pbtson file paths influenced by an attacker. - The attacker must be able to supply or create a path containing shell-significant characters.
- The vulnerable
pbtsversion must execute the generated JSDoc command through a shell.
Workarounds
Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.
AnalysisAI
Command injection in protobufjs-cli pbts tool allows arbitrary shell command execution when processing file paths with shell metacharacters. The pbts utility builds JSDoc commands by concatenating unsanitized file paths into shell strings executed via child_process.exec. Affects protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1. Vendor-released patches available (1.2.1 and 2.0.2). CVSS 7.8 (High) but requires local access with user interaction (AV:L/UI:R), limiting remote exploitation. No EPSS data or KEV listing indicates this is not yet widely exploited despite public disclosure and available fixes.
Technical ContextAI
This vulnerability stems from unsafe use of Node.js child_process.exec() in the pbts (Protocol Buffers TypeScript) code generation tool, part of the protobufjs-cli npm package. The pbts utility generates TypeScript definitions from JavaScript protobuf files by invoking JSDoc. The vulnerable code constructs shell command strings by directly concatenating user-supplied file paths without sanitization, then passes these strings to child_process.exec(), which spawns a shell interpreter. CWE-78 (OS Command Injection) occurs because shell metacharacters in file paths (such as semicolons, backticks, pipe symbols, or $() constructs) are interpreted by the shell rather than treated as literal path components. This is a classic command injection pattern where untrusted input flows into a shell execution context without proper escaping or parameterization. The fix likely replaces child_process.exec() with child_process.execFile() or adds strict input validation to sanitize shell-significant characters before command construction.
RemediationAI
Upgrade protobufjs-cli immediately to patched versions: 1.2.1 for the 1.x branch or 2.0.2 for the 2.x branch. Release announcements and patch details are available at https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2. The fix (commit 75392ea) implements input hardening to prevent shell metacharacter interpretation. For environments where immediate upgrade is not feasible, implement strict input validation by sanitizing or renaming all input files before passing them to pbts, rejecting filenames containing characters such as semicolons, backticks, dollar signs, pipes, ampersands, or other shell-significant symbols. Alternatively, isolate pbts execution in containerized or sandboxed environments with minimal filesystem access and no network connectivity, running under a dedicated low-privilege user account. Note that input sanitization workarounds are brittle and error-prone - the shell metacharacter set is extensive and context-dependent, making blacklist-based filtering unreliable. Upgrading to patched versions is strongly preferred over workarounds. For CI/CD pipelines, ensure protobufjs-cli dependency versions are pinned and automatically updated through dependency scanning tools.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f84p-cvgm-xgjj