CVE-2026-44295
protobuf.js: Code injection in pbjs static output from crafted schema names
描述
## Summary `pbjs` static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. ## Impact An attacker who can provide or influence schemas passed to `pbjs` may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code would run if the generated file is later executed or imported by the application or build process. This affects the protobufjs CLI static code generation path. Applications that only use trusted schemas, or that do not execute generated output from untrusted schemas, are not directly affected. ## Preconditions - The application or build process must run `pbjs` static code generation on a schema or JSON descriptor influenced by an attacker. - The attacker-controlled input must contain crafted schema names that reach generated JavaScript output. - The generated JavaScript file must subsequently be executed, imported, or otherwise evaluated. ## Workarounds Do not run affected versions of `pbjs` static code generation on untrusted schemas or descriptors. If untrusted schemas must be accepted, validate schema names before code generation and run generation in an isolated environment.
如何修補 CVE-2026-44295
要修補 CVE-2026-44295,請將受影響套件升級到下列已修補版本。
- —升級至 1.2.1 或更新版本
CVE-2026-44295 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.2.1