Search criteria
2 vulnerabilities found for Protocol Buffers by Google
CVE-2024-7254 (GCVE-0-2024-7254)
Vulnerability from cvelistv5 – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
VLAI?
Summary
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Protocol Buffers |
Affected:
0 , < 28.2
(custom)
|
||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf",
"vendor": "google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf-kotlin-lite",
"vendor": "google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "4.27",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "4.28",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:29:43.468555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:46:14.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-19T00:11:07.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Protocol Buffers",
"repo": "https://github.com/protocolbuffers/protobuf",
"vendor": "Google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
"defaultStatus": "unaffected",
"product": "protobuf-java",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-javalite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotlin",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotllin-lite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://rubygems.org/gems/google-protobuf",
"defaultStatus": "unaffected",
"product": "google-protobuf [JRuby Gem]",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T09:37:53.702Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stack overflow in Protocol Buffers Java Lite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2024-7254",
"datePublished": "2024-09-19T00:18:45.824Z",
"dateReserved": "2024-07-29T21:41:56.116Z",
"dateUpdated": "2025-09-08T09:37:53.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7254 (GCVE-0-2024-7254)
Vulnerability from nvd – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
VLAI?
Summary
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Protocol Buffers |
Affected:
0 , < 28.2
(custom)
|
||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf",
"vendor": "google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf-kotlin-lite",
"vendor": "google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "4.27",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "4.28",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:29:43.468555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:46:14.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-19T00:11:07.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Protocol Buffers",
"repo": "https://github.com/protocolbuffers/protobuf",
"vendor": "Google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
"defaultStatus": "unaffected",
"product": "protobuf-java",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-javalite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotlin",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotllin-lite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://rubygems.org/gems/google-protobuf",
"defaultStatus": "unaffected",
"product": "google-protobuf [JRuby Gem]",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T09:37:53.702Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stack overflow in Protocol Buffers Java Lite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2024-7254",
"datePublished": "2024-09-19T00:18:45.824Z",
"dateReserved": "2024-07-29T21:41:56.116Z",
"dateUpdated": "2025-09-08T09:37:53.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}