CVE-2026-44295

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*
	cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*

History

19 May 2026, 20:37

Type	Values Removed	Values Added
References	~~() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9 -~~	() https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9 - Vendor Advisory
First Time		Protobufjs Project protobufjs-cli Protobufjs Project
CPE		cpe:2.3:a:protobufjs_project:protobufjs-cli::::::node.js::*

13 May 2026, 17:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 16:16

Updated : 2026-05-19 20:37

NVD link : CVE-2026-44295

Mitre link : CVE-2026-44295

CVE.ORG link : CVE-2026-44295

JSON object : View

Products Affected

protobufjs_project

protobufjs-cli

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-44295", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-05-13T16:16:56.507", "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2."}], "lastModified": "2026-05-19T20:37:36.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D729851A-7B65-4068-98B3-9EDC804701F8", "versionEndExcluding": "1.2.1"}, {"criteria": "cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B96D73DB-BEF0-421A-926F-1D0F5A62CA25", "versionEndExcluding": "2.0.2", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}