CVE-2024-7254

Published: Sep 19, 2024

Modified: Sep 8, 2025

PUBLISHED

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Vendor	Product	Versions
Google	Protocol Buffers	affected `0 - < 28.2`
Google	protobuf-java	affected `0 - < 3.25.5` affected `0 - < 4.27.5` affected `0 - < 4.28.2`
Google	protobuf-javalite	affected `0 - < 3.25.5` affected `0 - < 4.27.5` affected `0 - < 4.28.2`
Google	protobuf-kotlin	affected `0 - < 3.25.5` affected `0 - < 4.27.5` affected `0 - < 4.28.2`
Google	protobuf-kotllin-lite	affected `0 - < 3.25.5` affected `0 - < 4.27.5` affected `0 - < 4.28.2`
Google	google-protobuf [JRuby Gem]	affected `0 - < 3.25.5` affected `0 - < 4.27.5` affected `0 - < 4.28.2`

Weaknesses (CWE)

CWE-400

CWE-674

References

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-7254

Description

Affected Products

Weaknesses (CWE)

References