CVE-2026-44295 - Vulnerability Details

- protobufjs-cli: Code injection in pbjs static output from crafted schema names

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

Published: 2026-05-13

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

pbjs static code generation emits unsafe JavaScript identifiers derived from schema names, enabling an attacker to inject arbitrary JavaScript into the generated output. This injection can lead to remote code execution if the produced code is executed on a system with sufficient privileges.

Affected Systems

The vulnerability affects the protobuf.js command line add‑on, protobufjs-cli, specifically versions of pbjs older than 1.2.1 and 2.0.2. Only the static code generation feature is impacted.

Risk and Exploitability

The CVSS score of 8.7 categorizes this as a high‑severity flaw. No EPSS score is available and it is not listed in CISA KEV. Exploitation requires delivering a crafted schema or JSON descriptor to the pbjs CLI and subsequently executing the resulting JavaScript; the likely attack vector is a build pipeline or deployment process that consumes third‑party schemas.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

protobufjs

protobuf.js

affected

Version	Status	Constraints
`>= 2.0.0, < 2.0.2`	affected	—
`< 1.2.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*

No data.

Vendor Product Confidence Versions

Protobuf

87%

Version	Status	Scheme	Platform
`[2.0.0,2.0.2)`	affected	semver	—
`[0,1.2.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade protobuf.js to version 1.2.1 or later, or 2.0.2 or later, ensuring pbjs CLI uses the patched code generation logic.
If an upgrade is not immediately possible, avoid executing static JavaScript generated by pbjs from untrusted schemas; run the generation in a restricted environment.
Validate or sanitize schema and JSON descriptor names prior to passing them to pbjs CLI to eliminate unsafe identifiers.

Generated by OpenCVE AI on May 13, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6r35-46g8-jcw9	protobuf.js: Code injection in pbjs static output from crafted schema names

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9

History

Tue, 19 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobufjs Project Protobufjs Project protobufjs-cli
CPEs		cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
Vendors & Products		Protobufjs Project Protobufjs Project protobufjs-cli

Thu, 14 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protobuf Protobuf protobuf
Vendors & Products		Protobuf Protobuf protobuf

Wed, 13 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.
Title		protobufjs-cli: Code injection in pbjs static output from crafted schema names
Weaknesses		CWE-94
References		https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Protobuf Protobuf

Protobufjs Project Protobufjs-cli

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T14:50:39.216Z

Updated: 2026-05-13T18:20:05.652Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44295

Vulnrichment

Updated: 2026-05-13T18:14:08.543Z

NVD

Status : Analyzed

Published: 2026-05-13T16:16:56.507

Modified: 2026-05-19T20:37:36.807

Link: CVE-2026-44295

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object