High severity8.7GHSA Advisory· Published May 13, 2026· Updated May 19, 2026
CVE-2026-44295
CVE-2026-44295
Description
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufjs-clinpm | < 1.2.1 | 1.2.1 |
protobufjs-clinpm | >= 2.0.0, < 2.0.2 | 2.0.2 |
Affected products
5>= 2.0.0, <= 2.0.1+ 1 more
- (no CPE)range: >= 2.0.0, <= 2.0.1
- cpe:2.3:a:protobufjs_project:protobufjs-cli:*:*:*:*:*:node.js:*:*range: <1.2.1
- osv-coords3 versions
< 23.0.4-r5+ 2 more
- (no CPE)range: < 23.0.4-r5
- (no CPE)range: < 23.0.4-r5
- (no CPE)range: < 1.2.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6r35-46g8-jcw9ghsaADVISORY
- github.com/protobufjs/protobuf.js/security/advisories/GHSA-6r35-46g8-jcw9nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44295ghsaADVISORY
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v1.2.1ghsaWEB
- github.com/protobufjs/protobuf.js/releases/tag/protobufjs-cli-v2.0.2ghsaWEB
News mentions
1- Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoSThe Hacker News · Jun 10, 2026