CVE-2024-7254
protobuf-java has potential Denial of Service issue
7.5
HIGH
CVSS 3.1
EPSS 0.13%
Description
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
How to fix CVE-2024-7254
To remediate CVE-2024-7254, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.25.5 or later
- —upgrade to 3.25.5 or later
- —upgrade to 3.25.5 or later
- —upgrade to 3.25.5 or later
- —upgrade to 3.25.5 or later
Is CVE-2024-7254 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0
- from 0, < 3.25.5
- from 0, < 3.25.5
- from 0, < 3.25.5
- from 0, < 3.25.5
- from 0, < 3.25.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |