A high-severity code injection vulnerability in protobufjs-cli, the command-line companion to one of npm’s most downloaded packages, could allow attackers to plant malicious code in auto-generated JavaScript files that silently execute the moment a developer or CI system imports them.
Protocol Buffers (protobuf) is Google’s language-neutral serialization format that underpins gRPC services, Firebase SDKs, Google Cloud client libraries, and countless microservice APIs.
The protobufjs runtime is downloaded roughly 52 million times per week on npm, making it one of the most pervasive libraries in modern JavaScript infrastructure. Its CLI companion, protobufjs-cli, provides the pbjs command used by developers to compile .proto schema files into static JavaScript output.
On May 12, 2026, security researcher VladimirEliTokarev disclosed a critical flaw in that exact code-generation path, published under GHSA-6r35-46g8-jcw9 and tracked as CVE-2026-44295.
CVE-2026-44295: Code Injection Vulnerability
The flaw resides in how pbjs handles schema-controlled names, specifically the names of namespaces, enums, services, and derived full names embedded in a .proto schema or JSON descriptor. When generating static JavaScript output, pbjs wrote these names directly into the generated file without sufficient sanitization.
This is a CWE-94 (Improper Control of Code Generation) weakness. The root cause mirrors a broader pattern seen across developer tooling: a string originating from attacker-influenced input is interpolated directly into a code template that later gets compiled or executed, essentially eval() by another name.
The attack chain is straightforward:
- An attacker crafts a malicious
.protoschema or JSON descriptor containing specially formed names (e.g., a namespace name that embeds closing parentheses, semicolons, or payload JavaScript). - A developer or automated CI pipeline runs
pbjs staticagainst that schema, producing a JavaScript file. - The generated file contains the attacker’s injected code.
- When the application imports or executes that generated file, the injected code runs automatically with the privileges of the Node.js process.
CVE-2026-44295 carries a CVSS v3.1 score of 8.7 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. The scope is marked Changed, meaning the injected code can affect resources beyond the component’s own security boundary a particularly dangerous characteristic for build-time tools.
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
The “User Interaction Required” designation indicates that a developer must execute or import the generated file. However, in practice, this happens automatically in CI/CD pipelines and build processes without explicit human review.
The vulnerability affects protobufjs-cli versions ≤1.2.0 and ≥2.0.0 through ≤2.0.1. Any organization that runs pbjs static code generation against a schema or JSON descriptor sourced from outside a strictly controlled, internal trust boundary is in scope.
This is a broader attack surface than it might initially appear. Development teams routinely consume protobuf definitions from:
- Public schema registries such as the Buf Schema Registry
- Third-party partner integrations sharing
.protofiles over Slack, portals, or gists - Shared internal registries where a single compromised developer account becomes a pivot
- gRPC server reflection, where a rogue server can return a poisoned descriptor in the same round-trip it describes its own API
Applications that exclusively use fully trusted, version-controlled internal schemas and do not run pbjs against external input are not directly affected.
If exploitation succeeds, the attacker-injected code runs inside the Node.js process with access to environment variables, service credentials, database connections, and KMS-decrypted secrets. For services sitting adjacent to internal APIs and data stores, this translates to full remote code execution followed by lateral movement across the infrastructure.
This vulnerability is part of a broader wave of codegen injection flaws discovered in developer tooling throughout 2026. Six vulnerabilities in the protobuf.js ecosystem during the same disclosure round, including prototype pollution, prototype injection gadgets, denial-of-service, and code injection.
A related critical flaw, CVE-2026-41242 (CVSS 9.8), targeted the runtime decoding path of protobufjs itself, allowing arbitrary code execution when an application decodes a message against an attacker-supplied schema.
Patches and Mitigations
The maintainer of dcodeIO released patched versions within the same disclosure window:
- protobufjs-cli v1.2.1 — patches the ≤1.2.0 branch
- protobufjs-cli v2.0.2 — patches the 2.0.0–2.0.1 range
Developers should update immediately using npm install protobufjs-cli@latest and verify their version with npm ls protobufjs-cli. Until patching is complete, the following workarounds apply:
- Do not run
pbjsstatic generation on untrusted schemas or descriptors from any external source. - Validate all schema names before passing them to code generation; reject any names containing non-alphanumeric characters.
- Run
pbjsin an isolated sandboxed environment if accepting untrusted input is unavoidable. - Treat
.protofiles and JSON descriptors as executable code, applying the same SCA rigor and review discipline as any npm dependency.
FAQ
Q1: What is CVE-2026-44295?
It is a high-severity (CVSS 8.7) code injection flaw protobufjs-cli where crafted schema names can embed malicious JavaScript into pbjs-generated static output files.
Q2: Which versions of protobufjs-cli are vulnerable?
All versions ≤1.2.0 and versions 2.0.0 through 2.0.1 are affected; patched releases are 1.2.1 and 2.0.2.
Q3: Does this vulnerability affect applications that only use trusted schemas?
No, applications that exclusively run pbjs on fully trusted, internally controlled schemas and never import output from untrusted sources are not directly affected.
Q4: How can developers protect their build pipelines immediately?
Update to patched versions, avoid running pbjs on external schemas, validate all schema names for non-alphanumeric characters, and treat .proto files with the same scrutiny as executable dependencies.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
