CVE-2025-53605

CVSS v4.0

6.6

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions: protobuf crate for Rust versions prior to 3.7.2

Description: The issue allows uncontrolled recursion in the protobuf::coded input stream::CodedInputStream::skip group function when parsing unknown fields in untrusted input. This can occur due to the improper handling of unknown fields, leading to potential security risks.

Recommendations: For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the protobuf::coded input stream::CodedInputStream::skip group function when parsing untrusted input until a patch is available.

Fix

Uncontrolled Recursion

Allocation of Resources Without Limits

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674CWE-770CWE-20

Related Identifiers

AZL-65556

AZL-65565

AZL-65568

AZL-65574

AZL-65577

AZL-65592

BDU:2026-05693

CVE-2025-53605

GHSA-2GH3-RMM4-6RQ5

GHSA-RXF6-323F-44FC

RUSTSEC-2024-0437

Affected Products

Debian

Red Os

Protobuf

CVE-2025-53605

Weakness Enumeration

Related Identifiers

Affected Products

References · 29