protobufjs-cli Command Injection Vulnerability in JSDoc Integration

A command injection vulnerability has been identified in protobufjs-cli versions prior to 1.2.1 and 2.0.2. The issue arises in the 'pbts' command, which invokes JSDoc by creating a shell command string from input file paths and executing it via 'child_process.exec'. This approach allows file paths containing shell metacharacters to be interpreted by the shell, rather than being passed to JSDoc as plain arguments. As a result, an attacker could potentially execute arbitrary shell commands with the privileges of the process running 'pbts'.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution in the context of the user running the 'pbts' command.

Remediation

Users can upgrade to protobufjs-cli versions 1.2.1 or 2.0.2 to address this vulnerability. If an immediate upgrade is not possible, avoid running 'pbts' on file paths controlled by an attacker, or sanitize input files before use. Alternatively, the CLI can be run in a restricted environment with limited privileges.