CVE-2024-53984

Name of the Vulnerable Software and Affected Versions: Nanopb versions prior to 0.4.9.1

Description: The issue arises when the compile time option PB ENABLE MALLOC is enabled, the message contains at least one field with FT POINTER field type, a custom stream callback is used with unknown stream length, and the pb decode ex() function is used with the PB DECODE DELIMITED flag. This could lead to a memory leak and potential denial-of-service.

Recommendations: For versions prior to 0.4.9.1, update to version 0.4.9.1 to resolve the issue. As a temporary workaround, consider disabling the pb decode ex() function with the PB DECODE DELIMITED flag until a patch is available. Restrict the use of custom stream callbacks with unknown stream lengths to minimize the risk of exploitation. Avoid using the FT POINTER field type in messages until the issue is resolved.