PatchSiren cyber security CVE debrief
CVE-2026-44295 protobufjs CVE debrief
A code generation vulnerability in protobufjs-cli allows unsafe JavaScript identifiers to be emitted when generating static code from crafted Protocol Buffer schemas or JSON descriptors. The pbjs tool fails to sufficiently sanitize namespace, enum, service, and derived full names controlled by schema input, potentially resulting in code injection in generated output. This affects static code generation workflows where untrusted or attacker-influenced schema definitions are processed. The vulnerability is present in versions prior to 1.2.1 and in the 2.0.0 branch prior to 2.0.2.
- Vendor
- protobufjs
- Product
- protobuf.js
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-19
Who should care
Development teams using protobufjs-cli for static JavaScript code generation; DevOps and platform engineers managing build pipelines with protobuf compilation steps; security teams auditing supply chain and build-time code generation risks
Technical summary
The protobufjs-cli package provides command-line utilities for protobuf.js, including pbjs for static code generation. When generating static JavaScript from Protocol Buffer schemas or JSON descriptors, the tool constructs identifiers for namespaces, enums, services, and derived full names without adequate sanitization. A crafted schema containing maliciously constructed names can cause these identifiers to be written directly into generated JavaScript output. This represents a code injection vector in the build/development toolchain where schema-controlled input influences generated code structure. The vulnerability requires an attacker to influence the schema input to pbjs, which may occur through compromised dependencies, malicious package submissions, or insider threats in multi-tenant build environments.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade protobufjs-cli to version 1.2.1 or 2.0.2 or later
- Audit build pipelines and CI/CD systems for protobufjs-cli static code generation usage
- Review and validate all Protocol Buffer schema and JSON descriptor sources before code generation
- Implement schema input validation and sandboxing for untrusted protobuf definitions
- Scan generated JavaScript output for suspicious identifiers when processing external schemas
- Monitor for anomalous pbjs execution in development and build environments
Evidence notes
Official CVE record published 2026-05-13; NVD entry modified 2026-05-19. GitHub Security Advisory GHSA-6r35-46g8-jcw9 provides vendor acknowledgment and fix details. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N reflects network attack vector with low attack complexity, low privileges required, user interaction needed, and high impact to confidentiality and integrity with scope change.
Official resources
-
CVE-2026-44295 CVE record
CVE.org
-
CVE-2026-44295 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-13T16:16:56.507Z