CVE-2026-42290
protobuf.js is Vulnerable to OS Command Injection in the CLI
描述
## Summary `pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments. ## Impact An attacker who can control file names or paths passed to `pbts` may be able to execute arbitrary shell commands with the privileges of the process running `pbts`. This affects the protobufjs CLI tooling path. The protobufjs runtime APIs for encoding, decoding, parsing, and loading protobuf messages are not directly affected by this issue. ## Preconditions - The application or user must invoke `pbts` on file paths influenced by an attacker. - The attacker must be able to supply or create a path containing shell-significant characters. - The vulnerable `pbts` version must execute the generated JSDoc command through a shell. ## Workarounds Do not run affected versions of `pbts` on attacker-controlled file names or paths. If this cannot be avoided, sanitize or rename input files before invoking `pbts`, or run the CLI in an isolated environment with minimal privileges.
如何修補 CVE-2026-42290
要修補 CVE-2026-42290,請將受影響套件升級到下列已修補版本。
- —升級至 1.2.1 或更新版本
CVE-2026-42290 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 |
|---|