A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.
This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.
An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.
The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.
pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker.Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.
{
"cwe_ids": [
"CWE-94"
],
"severity": "HIGH",
"github_reviewed_at": "2026-06-15T20:13:54Z",
"github_reviewed": true,
"nvd_published_at": "2026-06-22T18:16:45Z"
}