CVE-2026-54271
Analyzed Analyzed - Analysis Complete

Code Injection in protobufjs-cli via JSON Descriptor

Vulnerability report for CVE-2026-54271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected. This is a bypass of CVE-2026-44295. An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. This vulnerability is fixed in 1.3.2 and 2.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-24
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
protobufjs_project protobufjs-cli to 1.3.2 (exc)
protobufjs_project protobufjs-cli From 2.0.0 (inc) to 2.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to inject arbitrary code into generated JavaScript files, potentially leading to unauthorized code execution. Such unauthorized execution can compromise the confidentiality and integrity of data processed by affected systems.

Since standards like GDPR and HIPAA require strict controls to protect personal and sensitive data, a vulnerability that could lead to unauthorized code execution and data compromise may negatively impact compliance with these regulations.

Mitigating this vulnerability by validating input and isolating code generation processes is important to maintain compliance with these standards.

Executive Summary

CVE-2026-54271 is a code injection vulnerability in the protobufjs library, specifically in the pbjs static and static-module code generation tools.

The vulnerability occurs when crafted JSON descriptor names are used, allowing an attacker to inject unsafe JavaScript references into the generated static output.

This issue bypasses a previous fix for unsafe name handling (CVE-2026-44295) and can lead to arbitrary code execution if the generated file is later executed or imported and an affected API path is invoked.

The vulnerability requires an attacker to influence the JSON descriptors passed to pbjs.

Impact Analysis

This vulnerability can lead to arbitrary code execution, which may compromise the confidentiality and integrity of your system.

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may cause generated JavaScript output to contain attacker-controlled code.

If the generated file is later executed or imported and an affected API path is invoked, the injected code may execute, potentially allowing unauthorized actions or data exposure.

Detection Guidance

Detection of this vulnerability involves identifying usage of the protobufjs-cli tool versions prior to 1.3.2 and 2.5.0 that generate static JavaScript output from JSON descriptors.

Since the vulnerability arises from crafted JSON descriptor input passed to the pbjs static or static-module code generation, you can check for suspicious or untrusted JSON descriptor files used in your build or code generation processes.

There are no specific commands provided in the resources to detect exploitation or presence of this vulnerability on your system or network.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade protobufjs-cli to version 1.3.2 or 2.5.0 or later, where the issue is fixed.

Avoid using untrusted or attacker-controlled JSON descriptors as input to the pbjs static or static-module code generation tools.

Validate all names in JSON descriptors before using them for code generation to prevent injection of unsafe JavaScript references.

Consider running the code generation process in an isolated environment to limit potential impact if malicious code is generated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart