CVE-2026-44295 Overview
CVE-2026-44295 affects protobufjs-cli, the command line add-on for protobuf.js. The pbjs static code generator emits unsafe JavaScript identifiers derived from schema-controlled names. When a developer generates static JavaScript from a crafted schema or JSON descriptor, namespace, enum, service, or derived full names can be written into the generated output without sufficient sanitization. The flaw is tracked as code injection [CWE-94] and is fixed in versions 1.2.1 and 2.0.2.
Critical Impact
Attackers who supply a malicious .proto schema or JSON descriptor can inject arbitrary JavaScript into generated code, leading to code execution in any process that loads the output.
Affected Products
- protobufjs-cli versions prior to 1.2.1 (1.x branch)
- protobufjs-cli versions prior to 2.0.2 (2.x branch)
- Build pipelines and applications that run pbjs static code generation against untrusted schemas
Discovery Timeline
- 2026-05-13 - CVE-2026-44295 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44295
Vulnerability Analysis
The pbjs tool converts Protocol Buffer schemas into static JavaScript modules for runtime use. During generation, the tool writes identifiers derived from schema fields directly into the output source. Because the generator does not validate that these identifiers form safe JavaScript tokens, an attacker controlling the schema can break out of the intended identifier context. The injected content becomes part of the emitted .js file and executes when the module is loaded.
This is a classic build-time code injection issue. The attacker does not need to compromise the build host directly. Supplying a malicious .proto file or JSON descriptor through normal development workflows is sufficient. The Common Weakness Enumeration entry [CWE-94] captures this class of improper control of generated code.
Root Cause
The root cause is missing sanitization of namespace, enum, service, and derived full names during static code generation. The generator trusts schema-controlled strings as syntactically valid JavaScript identifiers. Names containing quotes, semicolons, brackets, or other JavaScript syntax characters terminate the intended identifier context and append attacker-controlled statements to the output.
Attack Vector
Exploitation requires a victim to run pbjs against an attacker-supplied schema and then execute or ship the generated code. Typical paths include consuming third-party .proto definitions from public registries, processing user-uploaded schemas in a build service, or merging a malicious pull request that modifies an existing schema. The CVSS vector indicates network-reachable attack with low complexity, low privileges, and required user interaction, with a scope change because the injected code runs in the consuming application rather than the generator.
No verified public proof-of-concept is available. The GitHub Security Advisory GHSA-6r35-46g8-jcw9 describes the affected identifier paths.
Detection Methods for CVE-2026-44295
Indicators of Compromise
- Generated JavaScript files from pbjs containing unexpected statements, function calls, or string literals outside declared message and enum definitions.
- .proto files or JSON descriptors with namespace, enum, service, or message names containing characters such as quotes, backticks, semicolons, parentheses, or newline escapes.
- Build logs showing pbjs invocations against schemas sourced from untrusted contributors or third-party registries.
Detection Strategies
- Diff generated pbjs output against a baseline produced from a known-good schema and flag any change outside expected identifier patterns.
- Run static analysis with tools such as ESLint on generated artifacts to surface syntactically suspicious tokens or unreachable statements.
- Audit dependency manifests for protobufjs-cli versions below 1.2.1 or 2.0.2 across all repositories and CI runners.
Monitoring Recommendations
- Alert on CI pipeline executions of pbjs triggered by external pull requests or contributor branches.
- Monitor package registry installs of protobufjs-cli and require pinning to fixed versions in lockfiles.
- Record and review the schemas consumed by code generation jobs, treating them as build inputs subject to code review.
How to Mitigate CVE-2026-44295
Immediate Actions Required
- Upgrade protobufjs-cli to 1.2.1 on the 1.x branch or 2.0.2 on the 2.x branch in every project and CI image.
- Regenerate all previously emitted static JavaScript modules using a patched pbjs and replace shipped artifacts.
- Treat every .proto and JSON descriptor sourced outside the trust boundary as untrusted input subject to review.
Patch Information
The maintainers fixed the issue in protobufjs-cli1.2.1 and 2.0.2 by sanitizing identifiers derived from schema-controlled names before emitting them into generated JavaScript. Refer to the GitHub Security Advisory GHSA-6r35-46g8-jcw9 for the upstream commits and release notes.
Workarounds
- Restrict pbjs execution to schemas authored or reviewed by trusted maintainers until the upgrade is deployed.
- Validate schema identifiers against a strict allowlist matching [A-Za-z_][A-Za-z0-9_]* before passing them to pbjs.
- Isolate code generation in an ephemeral sandbox without access to source control credentials, registry tokens, or production secrets.
# Configuration example: pin and upgrade protobufjs-cli
npm install --save-dev protobufjs-cli@^2.0.2
# Verify installed version
npx pbjs --version
# Optional: validate schema identifiers before generation
grep -E '^(message|enum|service|package)\s+[^A-Za-z_]' path/to/schema.proto && \
echo 'Suspicious identifier detected' && exit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
