Infinite loop in JSON unmarshaling in google.golang.org/protobuf
CVE-2024-24786

7.5HIGH

Key Information:

Vendor: Google.golang.org/protobuf
Status: Google.golang.org/protobuf/encoding/protojson; Google.golang.org/protobuf/internal/encoding/json
Vendor: CVE Published:; 5 March 2024

🔔 Create Google.golang.org/protobuf Vulnerability Alert

What is CVE-2024-24786?

An issue has been identified in Google's Protocol Buffers where the protojson.Unmarshal function can enter an infinite loop if it encounters certain types of invalid JSON data. This may particularly occur when trying to unmarshal into a message that contains a google.protobuf.Any value or when the UnmarshalOptions.DiscardUnknown parameter is activated. Such behavior could lead to performance degradation or application freeze, making it vital for developers to implement proper input validation when handling JSON with Protocol Buffers.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

google.golang.org/protobuf/encoding/protojson 0 < 1.33.0

google.golang.org/protobuf/internal/encoding/json 0 < 1.33.0

References

https://go.dev/cl/569356

https://pkg.go.dev/vuln/GO-2024-2611

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Jan 30, 2024

JSON

Google.golang.org/protobuf

What is CVE-2024-24786?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.