CVE-2024-24786 – google.golang.org/protobuf

Package

Manager: go
Name: google.golang.org/protobuf
Vulnerable Version: >=0 <1.33.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00231 pctl0.45836

Details

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Metadata

Created: 2024-03-06T00:31:27Z
Modified: 2024-11-07T19:19:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8r3f-844c-mc37/GHSA-8r3f-844c-mc37.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-8r3f-844c-mc37
Finding: F138
Auto approve: 1