CVE-2026-42290

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*

History

19 May 2026, 20:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
References	~~() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj -~~	() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj - Vendor Advisory
First Time		Protobufjs Project protobufjs-cli Protobufjs Project

13 May 2026, 16:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 16:16

Updated : 2026-05-19 20:56

NVD link : CVE-2026-42290

Mitre link : CVE-2026-42290

CVE.ORG link : CVE-2026-42290

JSON object : View

Products Affected

protobufjs_project

protobufjs-cli

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-42290", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-13T16:16:47.160", "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2."}], "lastModified": "2026-05-19T20:56:15.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D729851A-7B65-4068-98B3-9EDC804701F8", "versionEndExcluding": "1.2.1"}, {"criteria": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B96D73DB-BEF0-421A-926F-1D0F5A62CA25", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}