CVE-2026-42290

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2

Description The pbts command-line tool invokes JSDoc by constructing a shell command string from input file paths and executing it via child process.exec. File paths containing shell metacharacters can be interpreted by the shell rather than being treated as plain arguments. This allows an attacker who can control file names or paths passed to pbts to execute arbitrary shell commands with the privileges of the process running the tool. This issue specifically affects the CLI tooling path and does not impact the runtime APIs used for encoding, decoding, parsing, and loading protobuf messages.

Recommendations Update to version 1.2.1. Update to version 2.0.2. Avoid running pbts on file names or paths controlled by untrusted users. Sanitize or rename input files before invoking pbts. Run the CLI in an isolated environment with minimal privileges.