GHSA-pr59-h9ph-3fr8
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
Details
## Summary
A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from `.proto` files is not affected.
This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295.
## Impact
An attacker who can provide or influence pre-parsed JSON descriptors passed to `pbjs` static code generation may be able to cause generated JavaScript output to contain attacker-controlled code.
The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked.
## Preconditions
* The application or build process must run `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker. * The generated JavaScript file must subsequently be executed or imported. * An affected generated API path must be invoked.
## Workarounds
Do not run affected versions of `pbjs` static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid `.proto` file. Running code generation in an isolated environment can reduce impact.
Are you affected?
Enter the version of the package you're using.