CVE-2026-42290 protobufjs CVE debrief

Who should care

Development teams using protobufjs-cli for TypeScript definition generation, particularly in automated build pipelines, CI/CD systems, or developer tooling workflows where file paths may originate from external or untrusted sources.

Technical summary

The protobufjs-cli package provides the `pbts` command-line tool for generating TypeScript definitions from Protocol Buffer files. The vulnerability exists because `pbts` builds shell command strings by concatenating user-supplied file paths and executes them through `child_process.exec`. When file paths contain shell metacharacters such as backticks, dollar signs, semicolons, or pipes, the shell interprets these characters rather than treating them as literal path components. This allows injection of arbitrary shell commands. The attack requires local access with user interaction (providing a malicious file path), but can result in complete confidentiality, integrity, and availability compromise of the local system. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields a base score of 7.8 (HIGH).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade protobufjs-cli to version 1.2.1 or 2.0.2 or later
• Audit build pipelines and CI/CD configurations for usage of pbts with untrusted file paths
• Implement input validation to sanitize file paths before passing to pbts
• Consider using child_process.spawn with argument arrays instead of exec for subprocess invocation
• Review dependency lockfiles for transitive protobufjs-cli usage

Evidence notes

The vulnerability stems from unsafe shell command construction in the `pbts` CLI tool. The NVD record confirms affected version ranges and CVSS 3.1 scoring. The GitHub Security Advisory provides vendor confirmation and fix versions. CWE-78 (OS Command Injection) is the primary weakness classification.

Official resources