CVE-2026-44295
Protobuf · protobufjs-cli
A code injection vulnerability in protobufjs-cli allows authenticated attackers to execute arbitrary code during the generation process.
Executive summary
A code injection vulnerability in protobufjs-cli (CVE-2026-44295) poses a critical risk by allowing authenticated attackers to execute arbitrary code within the host environment.
Vulnerability
This vulnerability is a CWE-94 (Code Injection) flaw where the command-line tool fails to properly control the generation of code. An authenticated user can influence the output, leading to the execution of unintended code, often requiring user interaction to trigger the malicious payload.
Business impact
Successful exploitation can lead to remote code execution (RCE) on the developer or build system, potentially resulting in full system compromise, malicious code insertion into software builds, or unauthorized access to internal development environments. The CVSS score of 8.7 highlights the extreme risk to development pipelines and organizational security.
Remediation
Immediate Action: Update the protobufjs-cli package to version 1.2.1 or 2.0.2 via your package manager.
Proactive Monitoring: Monitor build servers and development machines for unexpected execution processes or unauthorized changes to source code files.
Compensating Controls: Limit access to the protobufjs-cli utility to authorized users only and ensure build processes are isolated within restricted environments.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations utilizing protobufjs-cli must treat this as a high-priority update. Developers and build engineers should verify their dependencies and upgrade to the patched versions immediately to prevent potential supply chain attacks.