protobufjs-cli Code Injection Vulnerability in Static Code Generation

A code injection vulnerability has been identified in protobufjs-cli, the command line tool for protobuf.js, affecting versions through 1.2.0 and 2.0.0 prior to 2.0.2. The issue arises in the 'pbjs' static code generation process, where unsafe JavaScript identifiers can be generated from schema-controlled names without adequate sanitization. This vulnerability allows an attacker to inject code into the output by crafting specific schema or JSON descriptors. The injected code could be executed if the generated file is later run or imported into an application or build process.

Impact

Exploitation of this vulnerability could lead to the execution of injected code from untrusted schemas, potentially allowing for arbitrary code execution in the context of the application or build process that imports or executes the generated JavaScript.

Remediation

Users can upgrade to protobufjs-cli versions 1.2.1 or 2.0.2 to address this vulnerability. It is also recommended to avoid running 'pbjs' static code generation on untrusted schemas or descriptors. If untrusted schemas must be used, validate schema names before code generation and conduct the generation process in an isolated environment.