CVE-2026-54271
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
Description
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from `.proto` files is not affected. This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295. ## Impact An attacker who can provide or influence pre-parsed JSON descriptors passed to `pbjs` static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. ## Preconditions * The application or build process must run `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker. * The generated JavaScript file must subsequently be executed or imported. * An affected generated API path must be invoked. ## Workarounds Do not run affected versions of `pbjs` static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid `.proto` file. Running code generation in an isolated environment can reduce impact.
How to fix CVE-2026-54271
To remediate CVE-2026-54271, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.2 or later
Is CVE-2026-54271 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54271.
Affected packages (1)
- from 0, < 1.3.2