{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/protobufjs-cli--2.0.0--2.0.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobufjs-cli (\u003c= 1.2.0)","protobufjs-cli (\u003e= 2.0.0, \u003c= 2.0.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","protobufjs","cli","execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003epbts\u003c/code\u003e command-line tool in protobuf.js is susceptible to OS command injection due to its construction of shell command strings from input file paths when invoking JSDoc. This occurs because file paths containing shell metacharacters are interpreted by the shell rather than being treated as plain arguments by JSDoc. This vulnerability exists in protobufjs-cli versions 1.2.0 and earlier, as well as versions 2.0.0 through 2.0.1. Successful exploitation allows an attacker to execute arbitrary shell commands within the context of the \u003ccode\u003epbts\u003c/code\u003e process. It is important to note that this issue specifically affects the CLI tooling path; the protobuf.js runtime APIs for encoding, decoding, parsing, and loading protobuf messages remain unaffected. Defenders should focus on monitoring and restricting the usage of \u003ccode\u003epbts\u003c/code\u003e with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control over filenames or paths that will be processed by \u003ccode\u003epbts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious filename or path containing shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u003c/code\u003e, \u003ccode\u003e$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user or application invokes the vulnerable \u003ccode\u003epbts\u003c/code\u003e command, passing the attacker-controlled path as an argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epbts\u003c/code\u003e constructs a shell command string that includes the malicious path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epbts\u003c/code\u003e executes the generated command string using \u003ccode\u003echild_process.exec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shell interprets the metacharacters in the malicious path, leading to the execution of arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution with the privileges of the \u003ccode\u003epbts\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-42290) enables an attacker to execute arbitrary shell commands with the privileges of the process running \u003ccode\u003epbts\u003c/code\u003e. This could lead to complete system compromise, data theft, or other malicious activities. The vulnerable component is the command line tool. The number of potential victims depends on the prevalence of vulnerable protobufjs-cli versions and the degree to which \u003ccode\u003epbts\u003c/code\u003e is used with untrusted input.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eprotobufjs-cli\u003c/code\u003e that addresses CVE-2026-42290.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize or rename input files before invoking \u003ccode\u003epbts\u003c/code\u003e, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement process monitoring to detect suspicious command execution originating from \u003ccode\u003epbts\u003c/code\u003e processes, using the process_creation rules provided.\u003c/li\u003e\n\u003cli\u003eRun the \u003ccode\u003epbts\u003c/code\u003e CLI in an isolated environment with minimal privileges to limit the impact of potential command injection attacks, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:00:54Z","date_published":"2026-05-12T15:00:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/","summary":"The protobuf.js CLI tool `pbts` is vulnerable to OS command injection via crafted filenames or paths with shell metacharacters, potentially leading to arbitrary command execution with the privileges of the `pbts` process when invoked on attacker-influenced file paths; CVE-2026-42290.","title":"protobuf.js CLI pbts Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-protobufjs-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Protobufjs-Cli (\u003e= 2.0.0, \u003c= 2.0.1)","version":"https://jsonfeed.org/version/1.1"}