CVE-2024-7254

Stack overflow in Protocol Buffers Java Lite

Published: 9/19/2024 Last updated: 9/8/2025 Reserved: 7/29/2024

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

CNA assigner: Google (14ed7db2-1595-443d-9d34-6215bf890778) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	8.7	High	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Opam packages affected (5)

conf-protoc conf-protoc-dev kinetic-client protocell riak-pb

Products affected (12)

Product	Vendor	Version
Protocol Buffers	Google	<= 7.2.1
protobuf-java	Google	SA6145P
protobuf-javalite	Google	<= 7.0.7
protobuf-kotlin	Google	< 10.0.17763.5458
protobuf-kotllin-lite	Google	SA6150P
google-protobuf [JRuby Gem]	Google	n/a
Protocol Buffers	Google	< publication
protobuf-java	Google	21.sp1 ap363431
protobuf-javalite	Google	n/a
protobuf-kotlin	Google	21.sp1 ap362120
protobuf-kotllin-lite	Google	< 8.2.170.0
google-protobuf [JRuby Gem]	Google	n/a

References (6)

Credits (2)

1 Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
1 Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>