GHSA-7gcm-g887-7qv7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7gcm-g887-7qv7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7gcm-g887-7qv7/GHSA-7gcm-g887-7qv7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7gcm-g887-7qv7
- Aliases
-
- CVE-2026-0994
- Downstream
- Related
- Published
- 2026-01-23T15:31:35Z
- Modified
- 2026-02-04T04:16:03.035804Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- protobuf affected by a JSON recursion depth bypass
- Details
-
A denial-of-service (DoS) vulnerability exists in google.protobuf.jsonformat.ParseDict() in Python, where the maxrecursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-674" ], "github_reviewed_at": "2026-01-23T16:56:33Z", "github_reviewed": true, "nvd_published_at": "2026-01-23T15:16:06Z" }- References
Affected packages
PyPI / protobuf
Package
- Name
- protobuf
- View open source insights on deps.dev
- Purl
- pkg:pypi/protobuf
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.33.5
Affected versions
2.*
2.0.0beta
2.0.3
2.3.0
2.4.1
2.5.0
2.6.0
2.6.1
3.*
3.0.0a2
3.0.0a3
3.0.0b1
3.0.0b1.post1
3.0.0b1.post2
3.0.0b2
3.0.0b2.post1
3.0.0b2.post2
3.0.0b3
3.0.0b4
3.0.0
3.1.0
3.1.0.post1
3.2.0rc1
3.2.0rc1.post1
3.2.0rc2
3.2.0
3.3.0
3.4.0
3.5.0.post1
3.5.1
3.5.2
3.5.2.post1
3.6.0
3.6.1
3.7.0rc2
3.7.0rc3
3.7.0
3.7.1
3.8.0rc1
3.8.0
3.9.0rc1
3.9.0
3.9.1
3.9.2
3.10.0rc1
3.10.0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0rc1
3.12.0rc2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0rc3
3.13.0
3.14.0rc1
3.14.0rc2
3.14.0rc3
3.14.0
3.15.0rc1
3.15.0rc2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0rc1
3.16.0rc2
3.16.0
3.17.0rc1
3.17.0rc2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0rc1
3.18.0rc2
3.18.0
3.18.1
3.18.3
3.19.0rc1
3.19.0rc2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0rc1
3.20.0rc2
3.20.0
3.20.1rc1
3.20.1
3.20.2
3.20.3
4.*
4.0.0rc1
4.0.0rc2
4.21.0rc1
4.21.0rc2
4.21.0
4.21.1
4.21.2
4.21.3
4.21.4
4.21.5
4.21.6
4.21.7
4.21.8
4.21.9
4.21.10
4.21.11
4.21.12
4.22.0rc1
4.22.0rc2
4.22.0rc3
4.22.0
4.22.1
4.22.3
4.22.4
4.22.5
4.23.0rc2
4.23.0rc3
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.24.0rc1
4.24.0rc2
4.24.0rc3
4.24.0
4.24.1
4.24.2
4.24.3
4.24.4
4.25.0rc1
4.25.0rc2
4.25.0
4.25.1
4.25.2
4.25.3
4.25.4
4.25.5
4.25.6
4.25.7
4.25.8
5.*
5.26.0rc1
5.26.0rc2
5.26.0rc3
5.26.0
5.26.1
5.27.0rc1
5.27.0rc2
5.27.0rc3
5.27.0
5.27.1
5.27.2
5.27.3
5.27.4
5.27.5
5.28.0rc1
5.28.0rc2
5.28.0rc3
5.28.0
5.28.1
5.28.2
5.28.3
5.29.0rc1
5.29.0rc2
5.29.0rc3
5.29.0
5.29.1
5.29.2
5.29.3
5.29.4
5.29.5
6.*
6.30.0rc1
6.30.0rc2
6.30.0
6.30.1
6.30.2
6.31.0rc1
6.31.0rc2
6.31.0
6.31.1
6.32.0rc1
6.32.0rc2
6.32.0
6.32.1
6.33.0rc1
6.33.0rc2
6.33.0
6.33.1
6.33.2
6.33.3
6.33.4