{"id":"CVE-2024-7254","details":"Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.","aliases":["GHSA-735f-pc8j-v9w8"],"modified":"2026-03-23T05:03:42.720441227Z","published":"2024-09-19T01:15:10.963Z","related":["CGA-jf2g-4fp6-hv73","SUSE-SU-2024:3745-1","SUSE-SU-2024:3746-1","SUSE-SU-2024:3747-1","SUSE-SU-2025:20074-1","SUSE-SU-2025:20672-1","openSUSE-SU-2025:14832-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241213-0010/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250418-0006/"},{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"fixed":"cc8b3483a5584b3301e3d43d17eb59704857ffaa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"}]}}],"versions":["3.15.0-rc1","conformance-build-tag","v2.4.1","v2.5.0","v2.6.0","v2.6.1","v2.6.1rc1","v21.0","v21.0-rc1","v21.0-rc2","v21.1","v21.10","v21.11","v21.12","v21.2","v21.3","v21.4","v21.5","v21.6","v21.9","v22.0","v22.0-rc1","v22.0-rc2","v22.0-rc3","v22.1","v22.2","v22.3","v23.0","v23.0-rc1","v23.0-rc2","v23.0-rc3","v24.0","v24.0-rc1","v24.0-rc2","v24.0-rc3","v25.0","v25.0-rc1","v25.0-rc2","v25.1","v25.2","v25.3","v25.4","v26-dev","v27-dev","v28-dev","v3.0.0","v3.0.0-alpha-1","v3.0.0-alpha-2","v3.0.0-alpha-3","v3.0.0-alpha-4","v3.0.0-beta-1","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-2","v3.0.0-beta-3","v3.0.0-beta-3-pre-1","v3.0.0-beta-4","v3.0.2","v3.1.0","v3.1.0-alpha-1","v3.10.0","v3.10.0-rc1","v3.11.0","v3.11.0-rc1","v3.11.0-rc2","v3.11.1","v3.11.2","v3.11.3","v3.11.4","v3.12.0","v3.12.0-rc1","v3.12.0-rc2","v3.12.1","v3.12.2","v3.12.3","v3.13.0","v3.13.0-rc3","v3.13.0.1","v3.14.0","v3.14.0-rc1","v3.14.0-rc2","v3.14.0-rc3","v3.15.0","v3.15.0-rc1","v3.15.0-rc2","v3.15.1","v3.15.2","v3.15.3","v3.15.4","v3.15.5","v3.15.6","v3.15.7","v3.15.8","v3.16.0","v3.16.0-rc1","v3.16.0-rc2","v3.17.0","v3.17.0-rc1","v3.17.0-rc2","v3.17.1","v3.17.2","v3.17.3","v3.18.0","v3.18.0-rc1","v3.18.0-rc2","v3.18.1","v3.19.0","v3.19.0-rc1","v3.19.0-rc2","v3.19.1","v3.19.2","v3.19.3","v3.19.4","v3.20.0","v3.20.0-rc1","v3.20.0-rc2","v3.20.0-rc3","v3.20.1","v3.20.1-rc1","v3.21.0","v3.21.0-rc2","v3.21.1","v3.21.10","v3.21.11","v3.21.12","v3.21.2","v3.21.3","v3.21.4","v3.21.5","v3.21.6","v3.21.9","v3.22.0","v3.22.0-rc1","v3.22.0-rc2","v3.22.0-rc3","v3.22.1","v3.22.2","v3.22.3","v3.23.0","v3.23.0-rc1","v3.23.0-rc2","v3.23.0-rc3","v3.24.0","v3.24.0-rc1","v3.24.0-rc2","v3.24.0-rc3","v3.25.0","v3.25.0-rc1","v3.25.0-rc2","v3.25.1","v3.25.2","v3.25.3","v3.25.4","v3.3.0","v3.3.0rc1","v3.3.1","v3.3.2","v3.4.0","v3.4.0rc1","v3.4.0rc2","v3.4.0rc3","v3.4.1","v3.5.0","v3.5.0.1","v3.5.1","v3.5.2","v3.6.0","v3.6.0.1","v3.6.0rc1","v3.6.0rc2","v3.6.1","v3.7.0","v3.7.0-rc.2","v3.7.0-rc.3","v3.7.0rc1","v3.7.0rc2","v3.7.1","v3.8.0","v3.8.0-rc1","v3.9.0-rc1","v4.22.0","v4.22.0-rc1","v4.22.0-rc2","v4.22.0-rc3","v4.22.1","v4.22.2","v4.22.3","v4.23.0","v4.23.0-rc1","v4.23.0-rc2","v4.23.0-rc3","v4.24.0","v4.24.0-rc1","v4.24.0-rc2","v4.24.0-rc3","v4.25.0","v4.25.0-rc1","v4.25.0-rc2","v4.25.1","v4.25.2","v4.25.3","v4.25.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7254.json","vanir_signatures":[{"digest":{"line_hashes":["187699666725553001969903735843994537532","55306071626887955823303766262560698223","74584313714193226701178778011701277881","147749986059702625189561456237485046506","74823940619903515778371050986420796194","265665398887781583308524351206282095442","239720152912315002222994748187684200603","310196590678153343607164611204813127461","74823940619903515778371050986420796194","265665398887781583308524351206282095442","239720152912315002222994748187684200603"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-7a965aa2","target":{"file":"java/core/src/main/java/com/google/protobuf/MessageSchema.java"},"signature_type":"Line","deprecated":false},{"signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-8cf66719","target":{"file":"java/core/src/main/java/com/google/protobuf/ArrayDecoders.java"},"digest":{"line_hashes":["124163967352246688214546229473473883455","300713614716662775751458287037321463210","294268701189291199123888170460374916188","24961642600297195342164888948858260154","129317413791818856815644527685599871799"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-9988d8d4","target":{"file":"java/lite/src/test/java/com/google/protobuf/LiteTest.java"},"digest":{"line_hashes":["92273624040218165778987697797792380720","81525801942758895160828723104013261995","241044337175306843160308758859746429129","160531667966112287605753022255151236614","100435754983116611431478047320981963593","324837249835571934525420407386979029348","24734704794166928727777614298399665820","86118173199264051695381862993566979662","139515334792916736183679688177651617388","251135687449804296650880880240700788623","239974696282359619535496261995776110048","42957001103383622642059814999783710523","110848489944646821233482879575670719863"],"threshold":0.9},"deprecated":false},{"deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-9c51baed","target":{"file":"java/core/src/main/java/com/google/protobuf/UnknownFieldSchema.java"},"signature_type":"Line","digest":{"line_hashes":["331837591212601565404889112357441580747","6848830727921630298366094500443245455","337032765652427255037688029722863516341","109853233186423233996409611364920863013","159204753246371336798510571774129811201","333810459316441745068039040687153935672","15475016457827397842140856676540627879"],"threshold":0.9}},{"digest":{"line_hashes":["280155160883867168633966633787872132746","249270040444639382789703269790216933115","483488570655035415058762629769103926","159460365723612061991314749211322806383"],"threshold":0.9},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-be705a3b","target":{"file":"java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java"},"signature_type":"Line","deprecated":false},{"deprecated":false,"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","id":"CVE-2024-7254-c632972f","target":{"function":"recursionLimitExceeded","file":"java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java"},"signature_type":"Function","digest":{"length":191,"function_hash":"193954467700084152208333944298167438950"}}],"unresolved_ranges":[{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"last_affected":"4.28.2"}]},{"events":[{"introduced":"0"},{"last_affected":"10"}]}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}