CVE-2026-54271 - Vulnerability Details

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected. This is a bypass of CVE-2026-44295. An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. This vulnerability is fixed in 1.3.2 and 2.5.0.

Published: 2026-06-22

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in protobufjs-cli’s pbjs static code generation allows crafted JSON descriptor names to be written directly into emitted JavaScript, creating arbitrary executable code. The weakness is a code injection failure (CWE‑94). If the generated file is later executed or imported and an affected API function is called, the injected code runs, giving the attacker arbitrary control over the target environment.

Affected Systems

All protobufjs-cli releases prior to 1.3.2 and 2.5.0 are vulnerable when generating static or static‑module output. The common workflow of parsing .proto files directly is not affected.

Risk and Exploitability

The CVSS score of 8.2 marks this as a high‑severity vulnerability. It is not listed in the CISA KEV catalog and no public exploit exists. Exploitation requires the attacker to supply or tamper with the pre‑parsed JSON descriptor used by pbjs. This typically demands access to the build environment or control over upstream descriptor distribution, after which the injected code will execute upon loading or calling the generated API.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

protobufjs

protobufjs-cli

affected

Version	Status	Constraints
`< 1.3.2`	affected	—
`>= 2.0.0, < 2.4.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade protobufjs-cli to 1.3.2 or 2.5.0 or later, which contains the fix for unsafe name handling in static code generation.
Validate that any JSON descriptor file consumed by pbjs static generation comes from a trusted, authenticated source; reject or sanitize descriptors that could contain crafted names.
Restrict the generation and execution of static JavaScript modules to environments where the code has been manually reviewed, and avoid exposing the generated API functions to untrusted users or services.

Generated by OpenCVE AI on June 22, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pr59-h9ph-3fr8	protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8

History

Mon, 22 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected. This is a bypass of CVE-2026-44295. An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. This vulnerability is fixed in 1.3.2 and 2.5.0.
Title		protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
Weaknesses		CWE-94
References		https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-pr59-h9ph-3fr8
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T16:16:05.062Z

Updated: 2026-06-22T16:16:05.062Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54271

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses

CWE-94
Improper Control of Generation of Code ('Code Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object