![CVE](https://img.shields.io/badge/CVE-2026--42290-red) # CVE-2026-42290 — protobufjs `pbts` Command Injection via Unsanitized File Paths > CVE-2026-42290 has been officially published. ## Overview The `pbts` CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via `child_process.exec`, allowing shell metacharacters in file names or paths to be interpreted by the shell. **CVE ID:** CVE-2026-42290 **Affected Component:** protobufjs CLI (`pbts`) **Severity:** High **Vulnerability Type:** Command Injection **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command) --- ## Description `pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. This behavior allowed attacker-controlled file names or paths to inject arbitrary shell commands during execution of the `pbts` CLI tool. --- ## Impact * An attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands. * Commands execute with the privileges of the process running `pbts`. * The issue affects the protobufjs CLI tooling workflow. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue. --- ## Preconditions * The application or user must invoke `pbts` on file paths influenced by an attacker. * The attacker must be able to supply or create a path containing shell-significant characters. * The vulnerable `pbts` version must execute the generated JSDoc command through a shell. --- ## Workarounds * Do not run affected versions of `pbts` on attacker-controlled file names or paths. * Sanitize or rename input files before invoking `pbts`. * Run the CLI in an isolated environment with minimal privileges if untrusted input cannot be avoided. --- ## References * https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-f84p-cvgm-xgjj --- ## Discoverer **Stalin S** ([@0x5t4l1n](https://github.com/0x5t4l1n))