GHSA-pr59-h9ph-3fr8

Suggest an improvement
Source
https://github.com/advisories/GHSA-pr59-h9ph-3fr8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pr59-h9ph-3fr8/GHSA-pr59-h9ph-3fr8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pr59-h9ph-3fr8
Aliases
Related
Published
2026-06-15T20:13:54Z
Modified
2026-07-15T22:30:44.489826655Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
Details

Summary

A previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from .proto files is not affected.

This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.

Impact

An attacker who can provide or influence pre-parsed JSON descriptors passed to pbjs static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.

The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.

Preconditions

  • The application or build process must run pbjs static code generation on a pre-parsed JSON descriptor influenced by an attacker.
  • The generated JavaScript file must subsequently be executed or imported.
  • An affected generated API path must be invoked.

Workarounds

Do not run affected versions of pbjs static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid .proto file. Running code generation in an isolated environment can reduce impact.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-06-15T20:13:54Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-06-22T18:16:45Z"
}
References

Affected packages

npm / protobufjs-cli

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2

Database specific

last_known_affected_version_range
"<= 1.3.1"
source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pr59-h9ph-3fr8/GHSA-pr59-h9ph-3fr8.json"

npm / protobufjs-cli

Package

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.5.0

Database specific

last_known_affected_version_range
"<= 2.4.2"
source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-pr59-h9ph-3fr8/GHSA-pr59-h9ph-3fr8.json"