скеName Overflow Vulnerability in Protocol Buffers
CVE-2024-7254

7.5HIGH

Key Information:

Vendor: Google
Status: Protocol Buffers; Protobuf-java; Protobuf-javalite; Protobuf-kotlin
Vendor: CVE Published:; 19 September 2024

What is CVE-2024-7254?

A vulnerability exists in Google Protocol Buffers where projects parsing untrusted Protocol Buffers data containing nested groups or multiple SGROUP tags risk exceeding the stack limit, leading to stack overflow. This occurs when the parsing method, using either DiscardUnknownFieldsParser or Java Protobuf Lite parser, processes unknown fields or Protobuf map fields, resulting in unbounded recursion that can be exploited by an attacker. Proper validations and limitations are critical to mitigate potential risks.

Affected Version(s)

google-protobuf [JRuby Gem] 0 < 3.25.5

google-protobuf [JRuby Gem] 0 < 4.27.5

google-protobuf [JRuby Gem] 0 < 4.28.2

References

https://github.com/protocolbuffers/protobuf/commit/cc8b34...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2024

Credit

Alexis Challande, Trail of Bits Ecosystem Security Team <[email protected]>