CVE-2024-7254
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-7254
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7254.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-7254
- Aliases
- Downstream
- Related
- Published
- 2024-09-19T01:15:10Z
- Modified
- 2025-11-05T11:11:10.328214Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
- References
Affected packages
Git / github.com/google/protobuf
Affected ranges
- Type
- GIT
- Repo
- https://github.com/google/protobuf
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.15.0-rc1
Other
conformance-build-tag
v2.*
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.1rc1
v21.*
v21.0
v21.0-rc1
v21.0-rc2
v21.1
v21.10
v21.11
v21.12
v21.2
v21.3
v21.4
v21.5
v21.6
v21.9
v22.*
v22.0
v22.0-rc1
v22.0-rc2
v22.0-rc3
v22.1
v22.2
v22.3
v23.*
v23.0
v23.0-rc1
v23.0-rc2
v23.0-rc3
v24.*
v24.0
v24.0-rc1
v24.0-rc2
v24.0-rc3
v25.*
v25.0
v25.0-rc1
v25.0-rc2
v25.1
v25.2
v25.3
v25.4
v3.*
v3.0.0
v3.0.0-alpha-1
v3.0.0-alpha-2
v3.0.0-alpha-3
v3.0.0-alpha-4
v3.0.0-beta-1
v3.0.0-beta-1-bzl-fix
v3.0.0-beta-2
v3.0.0-beta-3
v3.0.0-beta-3-pre-1
v3.0.0-beta-4
v3.0.2
v3.1.0
v3.1.0-alpha-1
v3.10.0
v3.10.0-rc1
v3.11.0
v3.11.0-rc1
v3.11.0-rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0
v3.12.0-rc1
v3.12.0-rc2
v3.12.1
v3.12.2
v3.12.3
v3.13.0
v3.13.0-rc3
v3.13.0.1
v3.14.0
v3.14.0-rc1
v3.14.0-rc2
v3.14.0-rc3
v3.15.0
v3.15.0-rc1
v3.15.0-rc2
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.15.6
v3.15.7
v3.15.8
v3.16.0
v3.16.0-rc1
v3.16.0-rc2
v3.17.0
v3.17.0-rc1
v3.17.0-rc2
v3.17.1
v3.17.2
v3.17.3
v3.18.0
v3.18.0-rc1
v3.18.0-rc2
v3.18.1
v3.19.0
v3.19.0-rc1
v3.19.0-rc2
v3.19.1
v3.19.2
v3.19.3
v3.19.4
v3.20.0
v3.20.0-rc1
v3.20.0-rc2
v3.20.0-rc3
v3.20.1
v3.20.1-rc1
v3.21.0
v3.21.0-rc2
v3.21.1
v3.21.10
v3.21.11
v3.21.12
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.21.6
v3.21.9
v3.22.0
v3.22.0-rc1
v3.22.0-rc2
v3.22.0-rc3
v3.22.1
v3.22.2
v3.22.3
v3.23.0
v3.23.0-rc1
v3.23.0-rc2
v3.23.0-rc3
v3.24.0
v3.24.0-rc1
v3.24.0-rc2
v3.24.0-rc3
v3.25.0
v3.25.0-rc1
v3.25.0-rc2
v3.25.1
v3.25.2
v3.25.3
v3.25.4
v3.3.0
v3.3.0rc1
v3.3.1
v3.3.2
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.0rc3
v3.4.1
v3.5.0
v3.5.0.1
v3.5.1
v3.5.2
v3.6.0
v3.6.0.1
v3.6.0rc1
v3.6.0rc2
v3.6.1
v3.7.0
v3.7.0-rc.2
v3.7.0-rc.3
v3.7.0rc1
v3.7.0rc2
v3.7.1
v3.8.0
v3.8.0-rc1
v3.9.0-rc1
v4.*
v4.22.0
v4.22.0-rc1
v4.22.0-rc2
v4.22.0-rc3
v4.22.1
v4.22.2
v4.22.3
v4.23.0
v4.23.0-rc1
v4.23.0-rc2
v4.23.0-rc3
v4.24.0
v4.24.0-rc1
v4.24.0-rc2
v4.24.0-rc3
v4.25.0
v4.25.0-rc1
v4.25.0-rc2
v4.25.1
v4.25.2
v4.25.3
v4.25.4
Git / github.com/protocolbuffers/protobuf
Affected ranges
- Type
- GIT
- Repo
- https://github.com/protocolbuffers/protobuf
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.15.0-rc1
Other
conformance-build-tag
v26-dev
v27-dev
v28-dev
v2.*
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.1rc1
v21.*
v21.0
v21.0-rc1
v21.0-rc2
v21.1
v21.10
v21.11
v21.12
v21.2
v21.3
v21.4
v21.5
v21.6
v21.9
v22.*
v22.0
v22.0-rc1
v22.0-rc2
v22.0-rc3
v22.1
v22.2
v22.3
v23.*
v23.0
v23.0-rc1
v23.0-rc2
v23.0-rc3
v24.*
v24.0
v24.0-rc1
v24.0-rc2
v24.0-rc3
v25.*
v25.0
v25.0-rc1
v25.0-rc2
v3.*
v3.0.0
v3.0.0-alpha-1
v3.0.0-alpha-2
v3.0.0-alpha-3
v3.0.0-alpha-4
v3.0.0-beta-1
v3.0.0-beta-1-bzl-fix
v3.0.0-beta-2
v3.0.0-beta-3
v3.0.0-beta-3-pre-1
v3.0.0-beta-4
v3.0.2
v3.1.0
v3.1.0-alpha-1
v3.10.0
v3.10.0-rc1
v3.11.0
v3.11.0-rc1
v3.11.0-rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0
v3.12.0-rc1
v3.12.0-rc2
v3.12.1
v3.12.2
v3.12.3
v3.13.0
v3.13.0-rc3
v3.13.0.1
v3.14.0
v3.14.0-rc1
v3.14.0-rc2
v3.14.0-rc3
v3.15.0
v3.15.0-rc1
v3.15.0-rc2
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.15.6
v3.15.7
v3.15.8
v3.16.0
v3.16.0-rc1
v3.16.0-rc2
v3.17.0
v3.17.0-rc1
v3.17.0-rc2
v3.17.1
v3.17.2
v3.17.3
v3.18.0
v3.18.0-rc1
v3.18.0-rc2
v3.18.1
v3.19.0
v3.19.0-rc1
v3.19.0-rc2
v3.19.1
v3.19.2
v3.19.3
v3.19.4
v3.20.0
v3.20.0-rc1
v3.20.0-rc2
v3.20.0-rc3
v3.20.1
v3.20.1-rc1
v3.21.0
v3.21.0-rc2
v3.21.1
v3.21.10
v3.21.11
v3.21.12
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.21.6
v3.21.9
v3.22.0
v3.22.0-rc1
v3.22.0-rc2
v3.22.0-rc3
v3.22.1
v3.22.2
v3.22.3
v3.23.0
v3.23.0-rc1
v3.23.0-rc2
v3.23.0-rc3
v3.24.0
v3.24.0-rc1
v3.24.0-rc2
v3.24.0-rc3
v3.25.0
v3.25.0-rc1
v3.25.0-rc2
v3.3.0
v3.3.0rc1
v3.3.1
v3.3.2
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.0rc3
v3.4.1
v3.5.0
v3.5.0.1
v3.5.1
v3.5.2
v3.6.0
v3.6.0.1
v3.6.0rc1
v3.6.0rc2
v3.6.1
v3.7.0
v3.7.0-rc.2
v3.7.0-rc.3
v3.7.0rc1
v3.7.0rc2
v3.7.1
v3.8.0
v3.8.0-rc1
v3.9.0-rc1
v4.*
v4.22.0
v4.22.0-rc1
v4.22.0-rc2
v4.22.0-rc3
v4.22.1
v4.22.2
v4.22.3
v4.23.0
v4.23.0-rc1
v4.23.0-rc2
v4.23.0-rc3
v4.24.0
v4.24.0-rc1
v4.24.0-rc2
v4.24.0-rc3
v4.25.0
v4.25.0-rc1
v4.25.0-rc2
Database specific
vanir_signatures
[
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-7a965aa2",
"digest": {
"line_hashes": [
"187699666725553001969903735843994537532",
"55306071626887955823303766262560698223",
"74584313714193226701178778011701277881",
"147749986059702625189561456237485046506",
"74823940619903515778371050986420796194",
"265665398887781583308524351206282095442",
"239720152912315002222994748187684200603",
"310196590678153343607164611204813127461",
"74823940619903515778371050986420796194",
"265665398887781583308524351206282095442",
"239720152912315002222994748187684200603"
],
"threshold": 0.9
},
"target": {
"file": "java/core/src/main/java/com/google/protobuf/MessageSchema.java"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-8cf66719",
"digest": {
"line_hashes": [
"124163967352246688214546229473473883455",
"300713614716662775751458287037321463210",
"294268701189291199123888170460374916188",
"24961642600297195342164888948858260154",
"129317413791818856815644527685599871799"
],
"threshold": 0.9
},
"target": {
"file": "java/core/src/main/java/com/google/protobuf/ArrayDecoders.java"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-9988d8d4",
"digest": {
"line_hashes": [
"92273624040218165778987697797792380720",
"81525801942758895160828723104013261995",
"241044337175306843160308758859746429129",
"160531667966112287605753022255151236614",
"100435754983116611431478047320981963593",
"324837249835571934525420407386979029348",
"24734704794166928727777614298399665820",
"86118173199264051695381862993566979662",
"139515334792916736183679688177651617388",
"251135687449804296650880880240700788623",
"239974696282359619535496261995776110048",
"42957001103383622642059814999783710523",
"110848489944646821233482879575670719863"
],
"threshold": 0.9
},
"target": {
"file": "java/lite/src/test/java/com/google/protobuf/LiteTest.java"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-9c51baed",
"digest": {
"line_hashes": [
"331837591212601565404889112357441580747",
"6848830727921630298366094500443245455",
"337032765652427255037688029722863516341",
"109853233186423233996409611364920863013",
"159204753246371336798510571774129811201",
"333810459316441745068039040687153935672",
"15475016457827397842140856676540627879"
],
"threshold": 0.9
},
"target": {
"file": "java/core/src/main/java/com/google/protobuf/UnknownFieldSchema.java"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-be705a3b",
"digest": {
"line_hashes": [
"280155160883867168633966633787872132746",
"249270040444639382789703269790216933115",
"483488570655035415058762629769103926",
"159460365723612061991314749211322806383"
],
"threshold": 0.9
},
"target": {
"file": "java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"source": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"id": "CVE-2024-7254-c632972f",
"digest": {
"function_hash": "193954467700084152208333944298167438950",
"length": 191.0
},
"target": {
"function": "recursionLimitExceeded",
"file": "java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java"
},
"signature_type": "Function",
"signature_version": "v1"
}
]