CVE-2026-54271
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
描述
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common case of parsing schemas from `.proto` files is not affected. This is a bypass of GHSA-6r35-46g8-jcw9 / CVE-2026-44295. ## Impact An attacker who can provide or influence pre-parsed JSON descriptors passed to `pbjs` static code generation may be able to cause generated JavaScript output to contain attacker-controlled code. The injected code may execute if the generated file is later executed or imported and an affected generated API path is invoked. ## Preconditions * The application or build process must run `pbjs` static code generation on a pre-parsed JSON descriptor influenced by an attacker. * The generated JavaScript file must subsequently be executed or imported. * An affected generated API path must be invoked. ## Workarounds Do not run affected versions of `pbjs` static or static-module generation on untrusted JSON descriptors. If untrusted JSON descriptors must be accepted, validate descriptor-derived names before code generation and reject names that could not have been produced by parsing a valid `.proto` file. Running code generation in an isolated environment can reduce impact.
如何修補 CVE-2026-54271
要修補 CVE-2026-54271,請將受影響套件升級到下列已修補版本。
- —升級至 1.3.2 或更新版本
CVE-2026-54271 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54271 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 1.3.2