Skip to main content

protobufjs-cli CVE-2026-44295

HIGH
Code Injection (CWE-94)
2026-05-12 https://github.com/protobufjs/protobuf.js GHSA-6r35-46g8-jcw9
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 12, 2026 - 16:01 vuln.today
Analysis Generated
May 12, 2026 - 16:01 vuln.today
CVE Published
May 12, 2026 - 15:06 nvd
HIGH 8.7

DescriptionGitHub Advisory

Summary

pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.

Impact

An attacker who can provide or influence schemas passed to pbjs may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process.

This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected.

Preconditions

  • The application or build process must run pbjs static code generation on a schema or JSON descriptor influenced by an attacker.
  • The attacker-controlled input must contain crafted schema names that reach generated JavaScript output.
  • The generated JavaScript file must subsequently be executed, imported, or otherwise evaluated.

Workarounds

Do not run affected versions of pbjs static code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.

AnalysisAI

Code injection in protobufjs-cli's pbjs static generator allows attackers who control protocol buffer schemas to inject malicious JavaScript code into generated output files. The vulnerability affects npm packages protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1, with patches released in versions 1.2.1 and 2.0.2. Exploitation requires low complexity with authenticated network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C), achieving high confidentiality and integrity impact but no availability impact. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub advisory confirms the vulnerability with released patches.

Technical ContextAI

This vulnerability affects the protobufjs-cli static code generation tool (pbjs command), part of the Protocol Buffers JavaScript implementation ecosystem. Protocol Buffers are Google's language-neutral, platform-neutral serialization mechanism requiring schema files (.proto) to define message structures. The pbjs tool compiles these schemas into static JavaScript modules for runtime efficiency. The root cause is CWE-94 (Improper Control of Generation of Code / Code Injection) where the static generator fails to sanitize schema-controlled identifiers including namespace names, enum values, service names, and derived full names before emitting them as JavaScript identifiers in generated output. An attacker crafting malicious schema definitions can inject arbitrary JavaScript tokens that bypass identifier validation, resulting in executable code within the generated .js files. This represents a supply chain risk in build pipelines where schema sources may be external repositories, API definitions, or user-provided inputs. The affected npm packages are pkg:npm/protobufjs-cli versions ≤1.2.0 (7.x branch) and 2.0.0-2.0.1 (8.x branch).

RemediationAI

Upgrade protobufjs-cli to patched versions immediately: version 1.2.1 or later for 7.x branch users, or version 2.0.2 or later for 8.x branch users. Patches released April 27, 2026 per GitHub release notes (https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1 and https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2). Update package.json dependencies and run npm install or equivalent package manager command. For organizations unable to immediately upgrade, implement the following compensating controls with noted trade-offs: (1) Restrict pbjs code generation to only trusted, version-controlled schema sources - trade-off is inability to process external or dynamic schemas; (2) Implement schema name validation regex before generation to block JavaScript reserved words and special characters in namespace/enum/service names - trade-off is maintenance overhead and potential false positives blocking legitimate schemas; (3) Execute pbjs in isolated sandboxed environments (containers, VMs) with no network access or sensitive credentials - trade-off is increased build complexity and performance overhead; (4) Implement mandatory code review of all generated JavaScript output before deployment - trade-off is significant manual effort and slower release cycles. Review GitHub advisory GHSA-6r35-46g8-jcw9 for additional vendor guidance. Audit existing generated code from untrusted schemas for malicious injections before deploying patches.

Share

CVE-2026-44295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy