Threat Advisory

protobufjs-cli Vulnerability Enables Code Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the protobufjs and protobufjs-cli npm packages, which are used for Protocol Buffer processing in JavaScript applications. Affected versions include protobufjs-cli up to 1.3.1 and 2.4.2, and protobufjs up to 7.6.0 and 8.4.0. The flaws comprise a code‑injection vulnerability in static code generation and a denial‑of‑service condition caused by unbounded recursion during JSON conversion. Both issues can be triggered by maliciously crafted descriptor files or protobuf payloads, potentially leading to arbitrary code execution or service interruption. Organizations that rely on these libraries for build pipelines or runtime message handling face elevated risk to data integrity and availability.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the protobufjs and protobufjs-cli npm packages, which are used for Protocol Buffer processing in JavaScript applications. Affected versions include protobufjs-cli up to 1.3.1 and 2.4.2, and protobufjs up to 7.6.0 and 8.4.0. The flaws comprise a code‑injection vulnerability in static code generation and a denial‑of‑service condition caused by unbounded recursion during JSON conversion. Both issues can be triggered by maliciously crafted descriptor files or protobuf payloads, potentially leading to arbitrary code execution or service interruption. Organizations that rely on these libraries for build pipelines or runtime message handling face elevated risk to data integrity and availability.[emaillocker id="1283"]

  • CVE-2026-54271 with a CVSS score of 8.2 – This code‑injection flaw in protobufjs‑cli’s static code generation allows an attacker who can supply a crafted JSON descriptor to inject malicious JavaScript that will execute when the generated file is imported, requiring the build process to run pbjs on untrusted descriptors.
  • CVE-2026-48712 with a CVSS score of 7.5 – The denial‑of‑service issue in protobufjs arises from unlimited recursion when converting deeply nested google.protobuf.Any messages to JSON, letting an attacker who can provide a crafted protobuf payload cause a stack overflow and crash the process, provided the application performs JSON conversion on untrusted data.

These vulnerabilities expose JavaScript services that rely on protobuf processing to both remote code execution and service disruption, demanding immediate attention. If exploited, attackers can insert malicious code into build artifacts or cause application crashes, undermining data integrity, service availability, and potentially leading to loss of customer trust and operational downtime.

RECOMMENDATION:

  • We recommend you to update protobufjs-cli to version 1.3.2. We recommend you to update protobufjs-cli to version 2.5.0. We recommend you to update protobufjs to version 7.6.1. We recommend you to update protobufjs to version 8.4.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-pr59-h9ph-3fr8
https://github.com/advisories/GHSA-wcpc-wj8m-hjx6

[/emaillocker]
crossmenu