Panic when parsing invalid messages in google.golang.org/protobuf
CVE-2023-24535

7.5HIGH

Key Information:

Vendor: google.golang.org/protobuf
Status: google.golang.org/protobuf/encoding/prototext; google.golang.org/protobuf/internal/encoding/text
Vendor: CVE Published:; 8 June 2023

🔔 Create google.golang.org/protobuf Vulnerability Alert

What is CVE-2023-24535?

A vulnerability in Go Protobuf allows for a panic condition when parsing certain text-format messages. Specifically, when the message contains a negative sign followed by whitespace and no additional content, it leads to undesirable behavior. This can cause disruptions in applications that depend on proper message parsing and handling, emphasizing the need for robust input validation.

Affected Version(s)

google.golang.org/protobuf/encoding/prototext 1.29.0 < 1.29.1

google.golang.org/protobuf/internal/encoding/text 1.29.0 < 1.29.1

References

https://go.dev/cl/475995

https://github.com/golang/protobuf/issues/1530

https://pkg.go.dev/vuln/GO-2023-1631

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
Jan 25, 2023