0x5t4l1n/CVE
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/CVE.git synced 2026-05-26 11:25:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2026-42290.md

Browse Source
This commit is contained in:
Stalin
2026-05-12 18:25:24 +05:30
committed by GitHub
parent 33689357df
commit 7cb0d95e48
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
reported/CVE-2026-42290.md
+60
View File
@@ -0,0 +1,60 @@
![CVE](https://img.shields.io/badge/CVE-2026--42290-red)
# protobufjs `pbts` Command Injection via Unsanitized File Paths
## Overview
The `pbts` CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via `child_process.exec`, allowing shell metacharacters in file names or paths to be interpreted by the shell.
**Severity:** High
**Vulnerability Type:** Command Injection
**CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
---
## Description
`pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
This behavior allowed attacker-controlled file names or paths to inject arbitrary shell commands during execution of the `pbts` CLI tool.
---
## Impact
* An attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands.
* Commands execute with the privileges of the process running `pbts`.
* The issue affects the protobufjs CLI tooling workflow.
The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
---
## Preconditions
* The application or user must invoke `pbts` on file paths influenced by an attacker.
* The attacker must be able to supply or create a path containing shell-significant characters.
* The vulnerable `pbts` version must execute the generated JSDoc command through a shell.
---
## Workarounds
* Do not run affected versions of `pbts` on attacker-controlled file names or paths.
* Sanitize or rename input files before invoking `pbts`.
* Run the CLI in an isolated environment with minimal privileges if untrusted input cannot be avoided.
---
## References
* https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj
---
## Discoverer
**Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))