CVE-2026-42290 - Vulnerability Details

- protobufjs-cli: OS Command Injection

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

Published: 2026-05-13

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The protobufjs-cli vulnerability allows an attacker who can control the file paths passed to the pbts command to inject shell metacharacters into the command string that is executed via child_process.exec. This injection enables arbitrary shell command execution, effectively Remote Code Execution on the system where the CLI is run. The weakness is a classic instance of CWE-78, OS command injection.

Affected Systems

The flaw exists in the protobuf.js command line add‑on for all versions prior to 1.2.1 in the 1.x series and prior to 2.0.2 in the 2.x series. Users running any of those pre‑patched releases are impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, implying no confirmed exploitation yet. Because the problem is triggered by executing the CLI locally with untrusted file names, the likely attack vector is local; an attacker who can run pbts and influence the input file paths can easily inject shell commands, resulting in full control over the executing environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

protobufjs

protobuf.js

affected

Version	Status	Constraints
`>= 2.0.0, < 2.0.2`	affected	—
`< 1.2.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*

No data.

Vendor Product Confidence Versions

Protobuf

87%

Version	Status	Scheme	Platform
`[2.0.0,2.0.2)`	affected	semver	—
`[0,1.2.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade protobuf.js to at least version 1.2.1 for the 1.x line or 2.0.2 for the 2.x line to eliminate the CLI path injection vulnerability.
If an upgrade cannot be performed immediately, run pbts only with trusted file paths, ensuring that the paths contain no shell metacharacters and that they are validated or escaped before being passed to the tool.
After applying the upgrade or implementing the temporary input restriction, monitor system logs for unexpected or malicious shell executions and verify that pbts no longer assembles and executes shell command strings based on file paths.

Generated by OpenCVE AI on May 13, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f84p-cvgm-xgjj	protobuf.js is Vulnerable to OS Command Injection in the CLI

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj

History

Tue, 19 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobufjs Project Protobufjs Project protobufjs-cli
CPEs		cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
Vendors & Products		Protobufjs Project Protobufjs Project protobufjs-cli

Mon, 18 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobuf Protobuf protobuf
Vendors & Products		Protobuf Protobuf protobuf

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.
Title		protobufjs-cli: OS Command Injection
Weaknesses		CWE-78
References		https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Protobuf Protobuf

Protobufjs Project Protobufjs-cli

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T14:49:30.030Z

Updated: 2026-05-18T13:54:57.889Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42290

Vulnrichment

Updated: 2026-05-18T13:53:13.353Z

NVD

Status : Analyzed

Published: 2026-05-13T16:16:47.160

Modified: 2026-05-19T20:56:15.433

Link: CVE-2026-42290

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object