Skip to main content

protobufjs-cli CVE-2026-42290

HIGH
OS Command Injection (CWE-78)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-f84p-cvgm-xgjj
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 15:32 vuln.today
Analysis Generated
May 12, 2026 - 15:32 vuln.today
CVE Published
May 12, 2026 - 14:59 nvd
HIGH 7.8

DescriptionGitHub Advisory

Summary

pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.

Impact

An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.

This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.

Preconditions

  • The application or user must invoke pbts on file paths influenced by an attacker.
  • The attacker must be able to supply or create a path containing shell-significant characters.
  • The vulnerable pbts version must execute the generated JSDoc command through a shell.

Workarounds

Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.

AnalysisAI

Command injection in protobufjs-cli pbts tool allows arbitrary shell command execution when processing file paths with shell metacharacters. The pbts utility builds JSDoc commands by concatenating unsanitized file paths into shell strings executed via child_process.exec. Affects protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1. Vendor-released patches available (1.2.1 and 2.0.2). CVSS 7.8 (High) but requires local access with user interaction (AV:L/UI:R), limiting remote exploitation. No EPSS data or KEV listing indicates this is not yet widely exploited despite public disclosure and available fixes.

Technical ContextAI

This vulnerability stems from unsafe use of Node.js child_process.exec() in the pbts (Protocol Buffers TypeScript) code generation tool, part of the protobufjs-cli npm package. The pbts utility generates TypeScript definitions from JavaScript protobuf files by invoking JSDoc. The vulnerable code constructs shell command strings by directly concatenating user-supplied file paths without sanitization, then passes these strings to child_process.exec(), which spawns a shell interpreter. CWE-78 (OS Command Injection) occurs because shell metacharacters in file paths (such as semicolons, backticks, pipe symbols, or $() constructs) are interpreted by the shell rather than treated as literal path components. This is a classic command injection pattern where untrusted input flows into a shell execution context without proper escaping or parameterization. The fix likely replaces child_process.exec() with child_process.execFile() or adds strict input validation to sanitize shell-significant characters before command construction.

RemediationAI

Upgrade protobufjs-cli immediately to patched versions: 1.2.1 for the 1.x branch or 2.0.2 for the 2.x branch. Release announcements and patch details are available at https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2. The fix (commit 75392ea) implements input hardening to prevent shell metacharacter interpretation. For environments where immediate upgrade is not feasible, implement strict input validation by sanitizing or renaming all input files before passing them to pbts, rejecting filenames containing characters such as semicolons, backticks, dollar signs, pipes, ampersands, or other shell-significant symbols. Alternatively, isolate pbts execution in containerized or sandboxed environments with minimal filesystem access and no network connectivity, running under a dedicated low-privilege user account. Note that input sanitization workarounds are brittle and error-prone - the shell metacharacter set is extensive and context-dependent, making blacklist-based filtering unreliable. Upgrading to patched versions is strongly preferred over workarounds. For CI/CD pipelines, ensure protobufjs-cli dependency versions are pinned and automatically updated through dependency scanning tools.

Share

CVE-2026-42290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy