CVE-2026-54271
Undergoing Analysis Undergoing Analysis - In Progress
Code Injection in protobufjs-cli via JSON Descriptor

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected. This is a bypass of CVE-2026-44295. An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. This vulnerability is fixed in 1.3.2 and 2.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54271
EUVD
EUVD-2026-38304
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
protobufjs protobufjs-cli to 2.5.0 (exc)
protobufjs protobufjs to 1.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54271 is a code injection vulnerability in the protobufjs library, specifically in the pbjs static and static-module code generation tools.

The vulnerability occurs when crafted JSON descriptor names are used, allowing an attacker to inject unsafe JavaScript references into the generated static output.

This issue bypasses a previous fix for unsafe name handling (CVE-2026-44295) and can lead to arbitrary code execution if the generated file is later executed or imported and an affected API path is invoked.

The vulnerability requires an attacker to influence the JSON descriptors passed to pbjs.

Impact Analysis

This vulnerability can lead to arbitrary code execution, which may compromise the confidentiality and integrity of your system.

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may cause generated JavaScript output to contain attacker-controlled code.

If the generated file is later executed or imported and an affected API path is invoked, the injected code may execute, potentially allowing unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves identifying usage of the protobufjs-cli tool versions prior to 1.3.2 and 2.5.0 that generate static JavaScript output from JSON descriptors.

Since the vulnerability arises from crafted JSON descriptor input passed to the pbjs static or static-module code generation, you can check for suspicious or untrusted JSON descriptor files used in your build or code generation processes.

There are no specific commands provided in the resources to detect exploitation or presence of this vulnerability on your system or network.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade protobufjs-cli to version 1.3.2 or 2.5.0 or later, where the issue is fixed.

Avoid using untrusted or attacker-controlled JSON descriptors as input to the pbjs static or static-module code generation tools.

Validate all names in JSON descriptors before using them for code generation to prevent injection of unsafe JavaScript references.

Consider running the code generation process in an isolated environment to limit potential impact if malicious code is generated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart