protobuf.js is Vulnerable to OS Command Injection in the CLI
High severity
GitHub Reviewed
Published
May 12, 2026
in
protobufjs/protobuf.js
•
Updated May 14, 2026
Package
Affected versions
<= 1.2.0
>= 2.0.0, <= 2.0.1
Patched versions
1.2.1
2.0.2
Description
Published to the GitHub Advisory Database
May 12, 2026
Reviewed
May 12, 2026
Published by the National Vulnerability Database
May 13, 2026
Last updated
May 14, 2026
Summary
pbtsinvoked JSDoc by building a shell command string from input file paths and executing it throughchild_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.Impact
An attacker who can control file names or paths passed to
pbtsmay be able to execute arbitrary shell commands with the privileges of the process runningpbts.This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
Preconditions
pbtson file paths influenced by an attacker.pbtsversion must execute the generated JSDoc command through a shell.Workarounds
Do not run affected versions of
pbtson attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invokingpbts, or run the CLI in an isolated environment with minimal privileges.References