protobufjs-cli Code Generation Flaw Enables Unsafe JavaScript Identifiers - CVE-2026-44295 Rates High Severity

A code generation vulnerability in protobufjs-cli, the command line add-on for protobuf.js, exposes applications to risks through the emission of unsafe JavaScript identifiers. The flaw, tracked as CVE-2026-44295 and rated 8.7 on the CVSS scale (High severity), resides in pbjs static code generation functionality that fails to properly sanitize schema-controlled names before converting them into executable JavaScript code.

Affected versions span protobufjs 1.x prior to 1.2.1 and 2.x prior to 2.0.2. The vulnerability triggers when static JavaScript is generated from a crafted schema containing malicious identifier names. Unlike typical injection flaws that rely on user-controlled input at runtime, this issue exploits the static code generation pipeline itself, potentially embedding dangerous constructs directly into generated source files.

Developers using pbjs to compile Protocol Buffer schemas into JavaScript should upgrade to the patched versions immediately. The attack surface centers on build pipelines and automated tooling that process untrusted or externally-sourced schema definitions. Organizations relying on protobuf.js for inter-service communication, particularly in Node.js environments, face elevated risk if their build processes involve schema compilation from third-party sources. Security teams are advised to audit existing generated code artifacts and implement verification steps in CI/CD workflows to detect malformed identifiers before deployment.