Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities found for Protocol Buffers by Google

    CVE-2024-7254 (GCVE-0-2024-7254)

    Vulnerability from nvd – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
    VLAI
    Title
    Stack overflow in Protocol Buffers Java Lite
    Summary
    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-674 - Uncontrolled Recursion
    Assigner
    Impacted products
    Vendor Product Version
    Google Protocol Buffers Affected: 0 , < 28.2 (custom)
    Create a notification for this product.
    Google protobuf-java Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-javalite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotlin Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotllin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google google-protobuf [JRuby Gem] Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    google protobuf Affected: 0 , < 28.2 (custom)
        cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
    Create a notification for this product.
    google protobuf-kotlin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 4.27 , < 4.27.5 (custom)
    Affected: 4.28 , < 4.28.2 (custom)
        cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
        cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "28.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
                  "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf-kotlin-lite",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "3.25.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.27.5",
                    "status": "affected",
                    "version": "4.27",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.28.2",
                    "status": "affected",
                    "version": "4.28",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:29:43.468555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:46:14.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-19T00:11:07.841Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
              },
              {
                "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Protocol Buffers",
              "repo": "https://github.com/protocolbuffers/protobuf",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
              "defaultStatus": "unaffected",
              "product": "protobuf-java",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-javalite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotlin",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotllin-lite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://rubygems.org/gems/google-protobuf",
              "defaultStatus": "unaffected",
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674 Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T09:37:53.702Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stack overflow in Protocol Buffers Java Lite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2024-7254",
        "datePublished": "2024-09-19T00:18:45.824Z",
        "dateReserved": "2024-07-29T21:41:56.116Z",
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7254 (GCVE-0-2024-7254)

    Vulnerability from cvelistv5 – Published: 2024-09-19 00:18 – Updated: 2025-09-08 09:37
    VLAI
    Title
    Stack overflow in Protocol Buffers Java Lite
    Summary
    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-674 - Uncontrolled Recursion
    Assigner
    Impacted products
    Vendor Product Version
    Google Protocol Buffers Affected: 0 , < 28.2 (custom)
    Create a notification for this product.
    Google protobuf-java Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-javalite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotlin Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google protobuf-kotllin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    Google google-protobuf [JRuby Gem] Affected: 0 , < 3.25.5 (custom)
    Affected: 0 , < 4.27.5 (custom)
    Affected: 0 , < 4.28.2 (custom)
    Create a notification for this product.
    google protobuf Affected: 0 , < 28.2 (custom)
        cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*
    Create a notification for this product.
    google protobuf-kotlin-lite Affected: 0 , < 3.25.5 (custom)
    Affected: 4.27 , < 4.27.5 (custom)
    Affected: 4.28 , < 4.28.2 (custom)
        cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*
        cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*
        cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "28.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
                  "cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
                  "cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "protobuf-kotlin-lite",
                "vendor": "google",
                "versions": [
                  {
                    "lessThan": "3.25.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.27.5",
                    "status": "affected",
                    "version": "4.27",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "4.28.2",
                    "status": "affected",
                    "version": "4.28",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T14:29:43.468555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T14:46:14.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-19T00:11:07.841Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
              },
              {
                "url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Protocol Buffers",
              "repo": "https://github.com/protocolbuffers/protobuf",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
              "defaultStatus": "unaffected",
              "product": "protobuf-java",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-javalite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotlin",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "protobuf-kotllin-lite",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://rubygems.org/gems/google-protobuf",
              "defaultStatus": "unaffected",
              "product": "google-protobuf [JRuby Gem]",
              "vendor": "Google",
              "versions": [
                {
                  "lessThan": "3.25.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.27.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "4.28.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674 Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T09:37:53.702Z",
            "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
            "shortName": "Google"
          },
          "references": [
            {
              "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stack overflow in Protocol Buffers Java Lite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "assignerShortName": "Google",
        "cveId": "CVE-2024-7254",
        "datePublished": "2024-09-19T00:18:45.824Z",
        "dateReserved": "2024-07-29T21:41:56.116Z",
        "dateUpdated": "2025-09-08T09:37:53.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }