Vulnerability Description
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Protobuf | < 3.25.5 | |
| Protobuf-Java | < 3.25.5 | |
| Protobuf-Javalite | < 3.25.5 | |
| Protobuf-Kotlin | < 3.25.5 | |
| Protobuf-Kotlin-Lite | < 3.25.5 | |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Bluexp | - |
| Netapp | Ontap Tools | 10 |
Related Weaknesses (CWE)
References
- https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb5Patch
- https://security.netapp.com/advisory/ntap-20241213-0010/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20250418-0006/Third Party Advisory
FAQ
What is CVE-2024-7254?
CVE-2024-7254 is a vulnerability with a CVSS score of 7.5 (HIGH). Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing n...
How severe is CVE-2024-7254?
CVE-2024-7254 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-7254?
Check the references section above for vendor advisories and patch information. Affected products include: Google Protobuf, Google Protobuf-Java, Google Protobuf-Javalite, Google Protobuf-Kotlin, Google Protobuf-Kotlin-Lite.