PT-2026-49586 · Npm · Protobufjs-Cli
Published
2026-06-15
·
Updated
2026-06-15
·
CVE-2026-54271
CVSS v3.1
8.2
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L |
Summary
A previous fix for unsafe name handling in
pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.
Impact
An attacker who can provide or influence pre-parsed JSON descriptors passed to
pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.
Preconditions
- The application or build process must run
pbjsstatic code generation on a pre-parsed JSON descriptor influenced by an attacker. - The generated JavaScript file must subsequently be executed or imported.
- An affected generated API path must be invoked.
Workarounds
Do not run affected versions of
pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Protobufjs-Cli