CVE-2026-42290
protobuf.js is Vulnerable to OS Command Injection in the CLI
Description
## Summary `pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. ## Impact An attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands with the privileges of the process running `pbts`. This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue. ## Preconditions - The application or user must invoke `pbts` on file paths influenced by an attacker. - The attacker must be able to supply or create a path containing shell-significant characters. - The vulnerable `pbts` version must execute the generated JSDoc command through a shell. ## Workarounds Do not run affected versions of `pbts` on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking `pbts`, or run the CLI in an isolated environment with minimal privileges.
How to fix CVE-2026-42290
To remediate CVE-2026-42290, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.1 or later
Is CVE-2026-42290 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.2.1