GHSA-8r3f-844c-mc37

Suggest an improvement
Source
https://github.com/advisories/GHSA-8r3f-844c-mc37
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8r3f-844c-mc37/GHSA-8r3f-844c-mc37.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8r3f-844c-mc37
Aliases
Related
Published
2024-03-06T00:31:27Z
Modified
2024-11-07T19:19:40Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

References

Affected packages

Go / google.golang.org/protobuf

Package

Name
google.golang.org/protobuf
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/protobuf

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.33.0

Go / google.golang.org/protobuf/encoding/protojson

Package

Name
google.golang.org/protobuf/encoding/protojson
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/protobuf/encoding/protojson

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.33.0

Go / google.golang.org/protobuf/internal/encoding/json

Package

Name
google.golang.org/protobuf/internal/encoding/json
View open source insights on deps.dev
Purl
pkg:golang/google.golang.org/protobuf/internal/encoding/json

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.33.0