Infinite loop in JSON unmarshaling in google.golang.org/protobuf
CVE-2024-24786

7.5HIGH

Key Information:

Vendor: Google.golang.org/protobuf
Status: Google.golang.org/protobuf/encoding/protojson; Google.golang.org/protobuf/internal/encoding/json
Vendor: CVE Published:; 5 March 2024

🔔 Create Google.golang.org/protobuf Vulnerability Alert

What is CVE-2024-24786?

An issue has been identified in Google's Protocol Buffers where the protojson.Unmarshal function can enter an infinite loop if it encounters certain types of invalid JSON data. This may particularly occur when trying to unmarshal into a message that contains a google.protobuf.Any value or when the UnmarshalOptions.DiscardUnknown parameter is activated. Such behavior could lead to performance degradation or application freeze, making it vital for developers to implement proper input validation when handling JSON with Protocol Buffers.

Affected Version(s)

google.golang.org/protobuf/encoding/protojson 0 < 1.33.0

google.golang.org/protobuf/internal/encoding/json 0 < 1.33.0

References

https://go.dev/cl/569356

https://pkg.go.dev/vuln/GO-2024-2611

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Jan 30, 2024