PT-2024-6442 · Google+8 · Protocol Buffers+10
Published
2024-09-18
·
Updated
2026-05-18
·
CVE-2024-7254
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
protobuf-java versions prior to 3.25.5
Protocol Buffers versions prior to 4.28.2
Description
The issue is related to insufficient input validation in the Protocol Buffers library, which can lead to a StackOverflow when parsing untrusted data containing nested groups or series of SGROUP tags. This can cause a denial of service. Parsing nested groups as unknown fields or against Protobuf map fields can create unbounded recursions that can be exploited by an attacker.
Recommendations
For protobuf-java versions prior to 3.25.5, update to version 3.25.5 or later to address the vulnerability.
For Protocol Buffers versions prior to 4.28.2, update to version 4.28.2 or later to address the vulnerability.
As a temporary workaround, consider avoiding the use of unknown fields or Protobuf map fields when parsing untrusted Protocol Buffers data to minimize the risk of exploitation.
Exploit
Fix
DoS
RCE
Resource Exhaustion
Memory Corruption
Uncontrolled Recursion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Bamboo
Bitbucket
Debian
Linuxmint
Protocol Buffers
Red Os
Suse
Ubuntu
Protobuf-Java