Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Attacker supplies JSON descriptor remotely (AV:N, PR:N) but must defeat the prior name-validation fix (AC:H) and a victim must build and import the generated file (UI:R), yielding cross-context code execution (S:C, C:H/I:H/A:L).
Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).
CVSS VectorVendor: https://github.com/protobufjs/protobuf.js
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.
This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.
Impact
An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.
The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.
Preconditions
- The application or build process must run
pbjsstatic code generation on a pre-parsed JSON descriptor influenced by an attacker. - The generated JavaScript file must subsequently be executed or imported.
- An affected generated API path must be invoked.
Workarounds
Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.
AnalysisAI
Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.
Technical ContextAI
protobufjs-cli ships the pbjs tool that converts Protocol Buffer schemas into static JavaScript modules. When pbjs operates in static or static-module mode, it walks a parsed descriptor tree and emits JavaScript identifiers (such as message, field, enum and service names) directly into the generated source. The root cause maps to CWE-94 (Improper Control of Generation of Code, i.e. code injection): descriptor-derived names taken from pre-parsed JSON input are interpolated into generated JS without sufficient validation that they could only have been produced by a legitimate .proto parser, allowing crafted names to escape identifier context and inject arbitrary JavaScript. The affected CPEs are pkg:npm/protobufjs-cli; the protobuf.js runtime library and the normal flow of parsing trusted .proto files are not implicated.
RemediationAI
Vendor-released patch: upgrade protobufjs-cli to 1.3.2 on the 1.x line or 2.5.0 on the 2.x line, as published in GHSA-pr59-h9ph-3fr8 (https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8) and mirrored at https://github.com/advisories/GHSA-pr59-h9ph-3fr8; teams that only patched against CVE-2026-44295 must upgrade again because this issue is a bypass of that fix. Where immediate upgrade is not possible, do not run pbjs static or static-module generation against untrusted pre-parsed JSON descriptors, and prefer feeding pbjs raw .proto files (the unaffected path) instead. If untrusted JSON descriptors must be accepted, validate every descriptor-derived name against the identifier grammar a real .proto parser would have produced and reject anything else, accepting that legitimate-but-unusual names may be blocked; additionally, run code generation inside an isolated environment (ephemeral container, unprivileged user, no network and no source-tree write access) so that any injected code that later executes is contained, recognizing this only reduces impact rather than preventing injection.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38304
GHSA-pr59-h9ph-3fr8