Stalin
2.2 KiB
CVE-2026-42290 — protobufjs pbts Command Injection via Unsanitized File Paths
CVE-2026-42290 has been officially published.
Overview
The pbts CLI tool in protobufjs constructed a shell command using unsanitized file paths and executed it via child_process.exec, allowing shell metacharacters in file names or paths to be interpreted by the shell.
CVE ID: CVE-2026-42290
Affected Component: protobufjs CLI (pbts)
Severity: High
Vulnerability Type: Command Injection
CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
Description
pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
This behavior allowed attacker-controlled file names or paths to inject arbitrary shell commands during execution of the pbts CLI tool.
Impact
- An attacker who can control file names or paths passed to
pbtsmay be able to execute arbitrary shell commands. - Commands execute with the privileges of the process running
pbts. - The issue affects the protobufjs CLI tooling workflow.
The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue.
Preconditions
- The application or user must invoke
pbtson file paths influenced by an attacker. - The attacker must be able to supply or create a path containing shell-significant characters.
- The vulnerable
pbtsversion must execute the generated JSDoc command through a shell.
Workarounds
- Do not run affected versions of
pbtson attacker-controlled file names or paths. - Sanitize or rename input files before invoking
pbts. - Run the CLI in an isolated environment with minimal privileges if untrusted input cannot be avoided.
References
Discoverer
Stalin S (@0x5t4l1n)