GHSA-pr59-h9ph-3fr8HighCVSS 8.2

protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.

Impact

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.

Preconditions

  • The application or build process must run pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker.
  • The generated JavaScript file must subsequently be executed or imported.
  • An affected generated API path must be invoked.

Workarounds

Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.

🎯 Affected products2

  • npm/protobufjs-cli:<= 1.3.1
  • npm/protobufjs-cli:>= 2.0.0, <= 2.4.2

🔗 References (2)