Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP
tags can be corrupted by exceeding the Python recursion limit.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com
Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python
environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.
This is a Python variant of a previous issue affecting protobuf-java.
This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.
For reproduction details, please refer to the unit tests decodertest.py and messagetest
A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)
{ "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-674" ], "github_reviewed_at": "2025-06-16T16:02:58Z", "nvd_published_at": "2025-06-16T15:15:24Z" }