Intel

AIKIDO-2026-202183

pbf is vulnerable to Code Injection

Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JSpbf
2.0.0 - 5.1.1
Fixed in 5.1.2
Are you affected? Scan for Free

TL;DR

The pbf/compile module generates JavaScript reader/writer functions from a parsed protobuf schema and interpolates each field.tag value directly into the generated source that is evaluated with new Function. Field tags were not validated, so a crafted schema supplying a string tag containing JavaScript can inject and execute attacker-controlled code when the schema is compiled. This can lead to arbitrary code execution in the process that compiles an untrusted schema. The fix adds a validateTag check that rejects non-integer tags and tags outside the valid protobuf range before code generation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application compiles protobuf schemas from untrusted sources using pbf/compile.

Background info

pbf is vulnerable to Code Injection in versions 2.0.0 - 5.1.1.

How to fix this

Upgrade the pbf library to the patch version.