Skip to main content

protobufjs-cli EUVDEUVD-2026-38304

| CVE-2026-54271 HIGH
Code Injection (CWE-94)
2026-06-15 https://github.com/protobufjs/protobuf.js GHSA-pr59-h9ph-3fr8
8.2
CVSS 3.1 · Vendor: https://github.com/protobufjs/protobuf.js
Share

Severity by source

Vendor (https://github.com/protobufjs/protobuf.js) PRIMARY
8.2 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
vuln.today AI
8.2 HIGH

Attacker supplies JSON descriptor remotely (AV:N, PR:N) but must defeat the prior name-validation fix (AC:H) and a victim must build and import the generated file (UI:R), yielding cross-context code execution (S:C, C:H/I:H/A:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/protobufjs/protobuf.js).

CVSS VectorVendor: https://github.com/protobufjs/protobuf.js

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 20:31 vuln.today
Analysis Generated
Jun 15, 2026 - 20:31 vuln.today

DescriptionCVE.org

Summary

A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.

Impact

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.

Preconditions

  • The application or build process must run pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker.
  • The generated JavaScript file must subsequently be executed or imported.
  • An affected generated API path must be invoked.

Workarounds

Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.

AnalysisAI

Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.

Technical ContextAI

protobufjs-cli ships the pbjs tool that converts Protocol Buffer schemas into static JavaScript modules. When pbjs operates in static or static-module mode, it walks a parsed descriptor tree and emits JavaScript identifiers (such as message, field, enum and service names) directly into the generated source. The root cause maps to CWE-94 (Improper Control of Generation of Code, i.e. code injection): descriptor-derived names taken from pre-parsed JSON input are interpolated into generated JS without sufficient validation that they could only have been produced by a legitimate .proto parser, allowing crafted names to escape identifier context and inject arbitrary JavaScript. The affected CPEs are pkg:npm/protobufjs-cli; the protobuf.js runtime library and the normal flow of parsing trusted .proto files are not implicated.

RemediationAI

Vendor-released patch: upgrade protobufjs-cli to 1.3.2 on the 1.x line or 2.5.0 on the 2.x line, as published in GHSA-pr59-h9ph-3fr8 (https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8) and mirrored at https://github.com/advisories/GHSA-pr59-h9ph-3fr8; teams that only patched against CVE-2026-44295 must upgrade again because this issue is a bypass of that fix. Where immediate upgrade is not possible, do not run pbjs static or static-module generation against untrusted pre-parsed JSON descriptors, and prefer feeding pbjs raw .proto files (the unaffected path) instead. If untrusted JSON descriptors must be accepted, validate every descriptor-derived name against the identifier grammar a real .proto parser would have produced and reject anything else, accepting that legitimate-but-unusual names may be blocked; additionally, run code generation inside an isolated environment (ephemeral container, unprivileged user, no network and no source-tree write access) so that any injected code that later executes is contained, recognizing this only reduces impact rather than preventing injection.

Share

EUVD-2026-38304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy