Code Injection Vulnerability in Protobuf.js Command Line Tool
CVE-2026-54271

8.2HIGH

Key Information:

Vendor: Protobufjs
Status: Protobufjs-cli
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54271?

The protobufjs-cli, a command line interface for protobuf.js, has a vulnerability due to incomplete fixes for unsafe name handling in static module code generation. Versions before 1.3.2 and 2.5.0 can generate unsafe JavaScript output from specially crafted JSON descriptors, allowing an attacker to inject harmful code that may execute when the generated file is invoked. It is crucial for developers and users to upgrade to the fixed versions to mitigate this risk.

Affected Version(s)

protobufjs-cli < 1.3.2 < 1.3.2

protobufjs-cli >= 2.0.0, < 2.4.2 < 2.0.0, 2.4.2

References

https://github.com/protobufjs/protobuf.js/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54271 Data

JSON

Protobufjs

What is CVE-2026-54271?

Affected Version(s)

References

CVSS V3.1

Timeline