GHSA-F84P-CVGM-XGJJ

Vulnerability from github – Published: 2026-05-12 14:59 – Updated: 2026-05-14 20:31
VLAI
Summary
protobuf.js is Vulnerable to OS Command Injection in the CLI
Details

Summary

pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.

Impact

An attacker who can control file names or paths passed to pbts may be able to execute arbitrary shell commands with the privileges of the process running pbts.

This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.

Preconditions

  • The application or user must invoke pbts on file paths influenced by an attacker.
  • The attacker must be able to supply or create a path containing shell-significant characters.
  • The vulnerable pbts version must execute the generated JSDoc command through a shell.

Workarounds

Do not run affected versions of pbts on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking pbts, or run the CLI in an isolated environment with minimal privileges.

Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T14:59:45Z",
    "nvd_published_at": "2026-05-13T16:16:47Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.\n\n## Impact\n\nAn attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands with the privileges of the process running `pbts`.\n\nThis affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.\n\n## Preconditions\n\n- The application or user must invoke `pbts` on file paths influenced by an attacker.\n- The attacker must be able to supply or create a path containing shell-significant characters.\n- The vulnerable `pbts` version must execute the generated JSDoc command through a shell.\n\n## Workarounds\n\nDo not run affected versions of `pbts` on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking `pbts`, or run the CLI in an isolated environment with minimal privileges.",
  "id": "GHSA-f84p-cvgm-xgjj",
  "modified": "2026-05-14T20:31:52Z",
  "published": "2026-05-12T14:59:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42290"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protobufjs/protobuf.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "protobuf.js is Vulnerable to OS Command Injection in the CLI"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.