Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2024-7254
Back to All
CVE

CVE-2024-7254

protobuf-java has potential Denial of Service issue

Description

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)

This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

  • protobuf-java (3.25.5, 4.27.5, 4.28.2)
  • protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
  • com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

Base CVSS

7.5

EPSS Score

0.18%

Introduced Version

0

Fix Available

3.25.5,4.27.5,4.28.2

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
com.google.protobuf:protobuf-java
3.21.6
CVES Fixed
C
0
H
3
M
0
L
0
Code Changed
+761
-1323

References

https://security.netapp.com/advisory/ntap-20250418-0006
https://nvd.nist.gov/vuln/detail/CVE-2024-7254
https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml
https://github.com/protocolbuffers/protobuf
https://security.netapp.com/advisory/ntap-20241213-0010
https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01