CVE-2024-7254

CVE-2024-7254

Name

CVE-2024-7254

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20241213-0010/
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250418-0006/

Type

URI

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20241213-0010/

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250418-0006/

Match rules

CPE URI	Source package	Min version	Max version
	protocol-buffers	>= 0	< 28.2
	protobuf-java	>= 0	< 3.25.5
	protobuf-java	>= 0	< 4.27.5
	protobuf-java	>= 0	< 4.28.2
	protobuf-javalite	>= 0	< 3.25.5
	protobuf-javalite	>= 0	< 4.27.5
	protobuf-javalite	>= 0	< 4.28.2
	protobuf-kotlin	>= 0	< 3.25.5
	protobuf-kotlin	>= 0	< 4.27.5
	protobuf-kotlin	>= 0	< 4.28.2
	protobuf-kotllin-lite	>= 0	< 3.25.5
	protobuf-kotllin-lite	>= 0	< 4.27.5
	protobuf-kotllin-lite	>= 0	< 4.28.2
	google-protobuf-[jruby-gem]	>= 0	< 3.25.5
	google-protobuf-[jruby-gem]	>= 0	< 4.27.5
	google-protobuf-[jruby-gem]	>= 0	< 4.28.2
`cpe:2.3:a:google:protobuf:3.25.5:::::ruby::`	ruby-protobuf	== None	== 3.25.5
`cpe:2.3:a:google:protobuf:4.27.5:::::ruby::`	ruby-protobuf	== None	== 4.27.5
`cpe:2.3:a:google:protobuf:4.28.2:::::ruby::`	ruby-protobuf	== None	== 4.28.2
`cpe:2.3:a:google:protobuf:28.2:::::::*`	protobuf	== None	== 28.2
`cpe:2.3:a:google:protobuf-java:3.25.5:::::::*`	protobuf-java	== None	== 3.25.5
`cpe:2.3:a:google:protobuf-java:4.27.5:::::::*`	protobuf-java	== None	== 4.27.5
`cpe:2.3:a:google:protobuf-java:4.28.2:::::::*`	protobuf-java	== None	== 4.28.2
`cpe:2.3:a:google:protobuf-javalite:3.25.5:::::::*`	protobuf-javalite	== None	== 3.25.5
`cpe:2.3:a:google:protobuf-javalite:4.27.5:::::::*`	protobuf-javalite	== None	== 4.27.5
`cpe:2.3:a:google:protobuf-javalite:4.28.2:::::::*`	protobuf-javalite	== None	== 4.28.2
`cpe:2.3:a:google:protobuf-kotlin:3.25.5:::::::*`	protobuf-kotlin	== None	== 3.25.5
`cpe:2.3:a:google:protobuf-kotlin:4.27.5:::::::*`	protobuf-kotlin	== None	== 4.27.5
`cpe:2.3:a:google:protobuf-kotlin:4.28.2:::::::*`	protobuf-kotlin	== None	== 4.28.2
`cpe:2.3:a:google:protobuf-kotlin-lite:3.25.5:::::::*`	protobuf-kotlin-lite	== None	== 3.25.5
`cpe:2.3:a:google:protobuf-kotlin-lite:4.27.5:::::::*`	protobuf-kotlin-lite	== None	== 4.27.5
`cpe:2.3:a:google:protobuf-kotlin-lite:4.28.2:::::::*`	protobuf-kotlin-lite	== None	== 4.28.2
`cpe:2.3:a:google:protobuf::::::ruby::*`	ruby-protobuf	>= 4.0.0	< 4.27.5
`cpe:2.3:a:google:protobuf::::::ruby::*`	ruby-protobuf	>= 4.28.0	< 4.28.2
`cpe:2.3:a:google:protobuf-java::::::::`	protobuf-java	>= 4.0.0	< 4.27.5
`cpe:2.3:a:google:protobuf-java::::::::`	protobuf-java	>= 4.28.0	< 4.28.2
`cpe:2.3:a:google:protobuf-javalite::::::::`	protobuf-javalite	>= 4.0.0	< 4.27.5
`cpe:2.3:a:google:protobuf-javalite::::::::`	protobuf-javalite	>= 4.28.0	< 4.28.2
`cpe:2.3:a:google:protobuf-kotlin::::::::`	protobuf-kotlin	>= 4.0.0	< 4.27.5
`cpe:2.3:a:google:protobuf-kotlin::::::::`	protobuf-kotlin	>= 4.28.0	< 4.28.2
`cpe:2.3:a:google:protobuf-kotlin-lite::::::::`	protobuf-kotlin-lite	>= 4.0.0	< 4.27.5
`cpe:2.3:a:google:protobuf-kotlin-lite::::::::`	protobuf-kotlin-lite	>= 4.28.0	<= 4.28.2

CPE URI

Source package

Min version

Max version

protocol-buffers

>= 0

< 28.2

protobuf-java

>= 0

< 3.25.5

protobuf-java

>= 0

< 4.27.5

protobuf-java

>= 0

< 4.28.2

protobuf-javalite

>= 0

< 3.25.5

protobuf-javalite

>= 0

< 4.27.5

protobuf-javalite

>= 0

< 4.28.2

protobuf-kotlin

>= 0

< 3.25.5

protobuf-kotlin

>= 0

< 4.27.5

protobuf-kotlin

>= 0

< 4.28.2

protobuf-kotllin-lite

>= 0

< 3.25.5

protobuf-kotllin-lite

>= 0

< 4.27.5

protobuf-kotllin-lite

>= 0

< 4.28.2

google-protobuf-[jruby-gem]

>= 0

< 3.25.5

google-protobuf-[jruby-gem]

>= 0

< 4.27.5

google-protobuf-[jruby-gem]

>= 0

< 4.28.2

cpe:2.3:a:google:protobuf:3.25.5:*:*:*:*:ruby:*:*

ruby-protobuf

== None

== 3.25.5

cpe:2.3:a:google:protobuf:4.27.5:*:*:*:*:ruby:*:*

ruby-protobuf

== None

== 4.27.5

cpe:2.3:a:google:protobuf:4.28.2:*:*:*:*:ruby:*:*

ruby-protobuf

== None

== 4.28.2

cpe:2.3:a:google:protobuf:28.2:*:*:*:*:*:*:*

protobuf

== None

== 28.2

cpe:2.3:a:google:protobuf-java:3.25.5:*:*:*:*:*:*:*

protobuf-java

== None

== 3.25.5

cpe:2.3:a:google:protobuf-java:4.27.5:*:*:*:*:*:*:*

protobuf-java

== None

== 4.27.5

cpe:2.3:a:google:protobuf-java:4.28.2:*:*:*:*:*:*:*

protobuf-java

== None

== 4.28.2

cpe:2.3:a:google:protobuf-javalite:3.25.5:*:*:*:*:*:*:*

protobuf-javalite

== None

== 3.25.5

cpe:2.3:a:google:protobuf-javalite:4.27.5:*:*:*:*:*:*:*

protobuf-javalite

== None

== 4.27.5

cpe:2.3:a:google:protobuf-javalite:4.28.2:*:*:*:*:*:*:*

protobuf-javalite

== None

== 4.28.2

cpe:2.3:a:google:protobuf-kotlin:3.25.5:*:*:*:*:*:*:*

protobuf-kotlin

== None

== 3.25.5

cpe:2.3:a:google:protobuf-kotlin:4.27.5:*:*:*:*:*:*:*

protobuf-kotlin

== None

== 4.27.5

cpe:2.3:a:google:protobuf-kotlin:4.28.2:*:*:*:*:*:*:*

protobuf-kotlin

== None

== 4.28.2

cpe:2.3:a:google:protobuf-kotlin-lite:3.25.5:*:*:*:*:*:*:*

protobuf-kotlin-lite

== None

== 3.25.5

cpe:2.3:a:google:protobuf-kotlin-lite:4.27.5:*:*:*:*:*:*:*

protobuf-kotlin-lite

== None

== 4.27.5

cpe:2.3:a:google:protobuf-kotlin-lite:4.28.2:*:*:*:*:*:*:*

protobuf-kotlin-lite

== None

== 4.28.2

cpe:2.3:a:google:protobuf:*:*:*:*:*:ruby:*:*

ruby-protobuf

>= 4.0.0

< 4.27.5

cpe:2.3:a:google:protobuf:*:*:*:*:*:ruby:*:*

ruby-protobuf

>= 4.28.0

< 4.28.2

cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*

protobuf-java

>= 4.0.0

< 4.27.5

cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*

protobuf-java

>= 4.28.0

< 4.28.2

cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*

protobuf-javalite

>= 4.0.0

< 4.27.5

cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*

protobuf-javalite

>= 4.28.0

< 4.28.2

cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*

protobuf-kotlin

>= 4.0.0

< 4.27.5

cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*

protobuf-kotlin

>= 4.28.0

< 4.28.2

cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*

protobuf-kotlin-lite

>= 4.0.0

< 4.27.5

cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*

protobuf-kotlin-lite

>= 4.28.0

<= 4.28.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
protobuf	edge-main	24.4-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
protobuf	3.20-main	24.4-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
protobuf	3.19-main	24.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
protobuf	3.18-main	3.21.12-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
protobuf	3.17-main	3.21.9-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

protobuf

edge-main

24.4-r4

Natanael Copa <ncopa@alpinelinux.org>

possibly vulnerable

protobuf

3.20-main