protobuf.js: Code injection in pbjs static output from crafted schema names

Severity:: High

Description

pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization.

Recommendation

Update the protobufjs-cli package to the latest compatible version. Followings are version details:

Affected version(s): **>= 2.0.0, <= 2.0.1 <= 1.2.0**
Patched version(s): **2.0.2 1.2.1**

References

GHSA-6r35-46g8-jcw9
CVE-2026-44295
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

protobuf.js: Denial of service from crafted field names in generated code - CVE-2026-44294
protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293
protobuf.js is Vulnerable to OS Command Injection in the CLI - CVE-2026-42290
lodash vulnerable to Code Injection via `_.template` imports key names - lodash-amd - CVE-2026-4800

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; protobufjs-cli

Anything's wrong? Let us know Last updated on May 14, 2026