A code generation vulnerability in protobufjs-cli allows unsafe JavaScript identifiers to be emitted when generating static code from crafted Protocol Buffer schemas or JSON descriptors. The pbjs tool fails to sufficiently sanitize namespace, enum, service, and derived full names controlled by schema input, potentially resulting in code injection in generated output. This affects static code generation wo [truncated]
A command injection vulnerability exists in protobufjs-cli, the command-line add-on for protobuf.js. The `pbts` tool constructs shell command strings from input file paths and executes them via `child_process.exec` without proper sanitization. File paths containing shell metacharacters can be interpreted by the shell rather than passed as literal arguments to JSDoc, enabling arbitrary code execution. This [truncated]
