protobufjs-cli versions before 1.3.2 and 2.5.0 have an incomplete fix for unsafe name handling in static code generation from JSON descriptors, allowing code injection. This vulnerability arises when attacker-controlled JSON descriptors are used to generate static JavaScript output, potentially resulting in injected code execution upon use of the generated API. The vulnerability bypasses a prior fix (CVE-2026-44295) and does not affect the typical use case of parsing .proto files. The vulnerability is identified as CWE-94 (Improper Control of Generation of Code).

An attacker who can supply or influence pre-parsed JSON descriptors passed to the static code generation feature of protobufjs-cli may cause malicious JavaScript code to be injected into the generated output. This injected code could execute when the generated file is executed or imported and the affected API path is invoked, potentially leading to full compromise of the environment running the generated code. The vulnerability has a CVSS 3.1 score of 8.2, indicating high impact on confidentiality and integrity with limited availability impact.

This vulnerability is fixed in protobufjs-cli versions 1.3.2 and 2.5.0. Users should upgrade to one of these versions or later to remediate the issue. Since no official remediation level or patch links are provided in the advisory, users should verify the upgrade availability from the official protobufjs project sources. Avoid using untrusted or attacker-controlled JSON descriptors as input to the static code generation feature. The common use case of parsing .proto files is not affected, so prefer this method where possible.