Listen to this Post
Intro: How CVE-2026-54271 Works
CVE-2026-54271 is a high‑severity code injection vulnerability in the `protobufjs-cli` package, and it exists as a direct bypass of the earlier CVE‑2026‑44295 patch. While the original CVE‑2026‑44295 (CVSS 8.7 High) was fixed in versions 1.2.1 and 2.0.2 of the CLI, the patch turned out to be incomplete.
The root cause lies in how pbjs—the protobuf.js static code generation tool—handles user‑supplied JSON descriptors when generating static JavaScript output. When generating code from a `.proto` file, names are already validated by the protobuf parser. However, when `pbjs` is invoked directly on a pre‑parsed JSON descriptor, the CLI skips the parser’s validation step. An attacker can craft a malicious JSON descriptor that contains specially constructed namespace, enum, service, or full‑name fields. These names are then embedded directly into the generated JavaScript code without sufficient sanitization. In the bypass scenario, the previous fix attempted to block dangerous identifiers like `”constructor”` or "__proto__", but the new attack discovered that other unsafe JavaScript‑level references could still be emitted—for example, by using names that interfere with property lookups or prototype chains.
The attack requires three preconditions: the build process must run `pbjs` on an attacker‑controlled JSON descriptor; the generated JavaScript file must later be executed or imported; and an affected generated API path must be invoked. When these conditions are met, the injected code executes in the context of the application that imports the generated file, leading to arbitrary code execution on the target system.
DailyCVE Form
Platform: protobufjs-cli (Node.js)
Version: prior 1.2.1 / 2.0.2
Vulnerability: arbitrary code injection
Severity: 8.7 High
date: 2026‑05‑05
Prediction: 2026‑05‑15 (expected patch date)
What Undercode Say
Check your protobufjs-cli version npm list protobufjs-cli Upgrading to the fixed version (for npm) npm install [email protected] --save-dev or 2.0.2
Exploit
// Malicious JSON descriptor (input.json)
{
"nested": {
"<strong>proto</strong>": {
"fields": {}
},
"prototype.polluted": {
"methods": {}
}
}
}
Running the command:
pbjs -t static-module -o output.js input.json
Will generate unsafe JavaScript code containing the attacker‑controlled strings.
Protection
- Upgrade to protobufjs‑cli 1.2.1 or 2.0.2 or higher.
- Do not run `pbjs` on untrusted JSON descriptors. If you must, sanitize all name fields using a whitelist that matches the `.proto` naming rules before code generation.
- Isolate code generation in a sandboxed environment (e.g., a temporary Docker container) and do not execute generated files directly.
- Prefer using `.proto` files as input instead of pre‑parsed JSON descriptors; the parser validates names correctly.
Impact
An attacker who can supply a malicious JSON descriptor to `pbjs` can cause arbitrary JavaScript code to be embedded into the generated output. If that generated file is later imported or executed, the attacker’s code runs with the privileges of the importing process. This can lead to full system compromise, data exfiltration, or lateral movement within a build pipeline or application server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
