SCA: security update for protobufjs-cli (GHSA-pr59-h9ph-3fr8)

high Tenable Cloud Security Plugin ID 443241

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for
unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of
protobufjs-cli could still emit unsafe JavaScript references when generating static output from crafted
JSON descriptor input. The common case of parsing schemas from .proto files is not affected. This is a
bypass of CVE-2026-44295. An attacker who can provide or influence pre-parsed JSON descriptors passed to
pbjs static code generation may be able to cause generated JavaScript output to contain attacker-
controlled code. The injected code may execute if the generated file is later executed or imported and an
affected generated API path is invoked. This vulnerability is fixed in 1.3.2 and 2.5.0. (CVE-2026-54271)

Solution

Update the protobufjs-cli library and its related packages to version 1.3.2 or later.

See Also

https://github.com/advisories/GHSA-pr59-h9ph-3fr8

Plugin Details

Severity: High

ID: 443241

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/16/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.27

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.3

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:P

CVSS Score Source: CVE-2026-54271

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2026

Vulnerability Publication Date: 6/15/2026

Reference Information

CVE: CVE-2026-54271

cwe: CWE-94