protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from `.proto` files is not affected. This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295. ## Impact An attacker who can provide or influence pre-parsed JSON descriptors passed to `pbjs` static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. ## Preconditions * The application or build process must run `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker. * The generated JavaScript file must subsequently be executed or imported. * An affected generated API path must be invoked. ## Workarounds Do not run affected versions of `pbjs` static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid `.proto` file. Running code generation in an isolated environment can reduce impact.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-15 20:13 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.