{"id":"CVE-2024-7254","details":"Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.","aliases":["GHSA-735f-pc8j-v9w8"],"modified":"2026-04-12T17:29:17.430783Z","published":"2024-09-19T01:15:10.963Z","related":["CGA-jf2g-4fp6-hv73","SUSE-SU-2024:3745-1","SUSE-SU-2024:3746-1","SUSE-SU-2024:3747-1","SUSE-SU-2025:20074-1","SUSE-SU-2025:20672-1","openSUSE-SU-2025:14832-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241213-0010/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250418-0006/"},{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"introduced":"0"},{"fixed":"9d0ec0f92b5b5fdeeda11f9dcecc1872ff378014"},{"fixed":"cc8b3483a5584b3301e3d43d17eb59704857ffaa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"},{"introduced":"0"},{"fixed":"3.25.5"}]}}],"versions":["v2.6.0","v2.6.1rc1","v25.0-rc1","v26-dev","v27-dev","v28-dev","v3.0.0-alpha-3","v3.0.0-alpha-4","v3.0.0-beta-1","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-2","v3.0.0-beta-3-pre-1","v3.12.3","v3.20.0-rc2","v3.25.0-rc1","v4.25.0-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T17:29:17Z","unresolved_ranges":[{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"fixed":"4.28.2"}]},{"events":[{"introduced":"4.0.0"},{"fixed":"4.27.5"}]},{"events":[{"introduced":"4.28.0"},{"last_affected":"4.28.2"}]},{"events":[{"introduced":"0"},{"last_affected":"10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7254.json","vanir_signatures":[{"target":{"file":"java/core/src/main/java/com/google/protobuf/MessageSchema.java"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["187699666725553001969903735843994537532","55306071626887955823303766262560698223","74584313714193226701178778011701277881","147749986059702625189561456237485046506","74823940619903515778371050986420796194","265665398887781583308524351206282095442","239720152912315002222994748187684200603","310196590678153343607164611204813127461","74823940619903515778371050986420796194","265665398887781583308524351206282095442","239720152912315002222994748187684200603"]},"id":"CVE-2024-7254-7a965aa2","signature_type":"Line","deprecated":false},{"target":{"file":"java/core/src/main/java/com/google/protobuf/ArrayDecoders.java"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["124163967352246688214546229473473883455","300713614716662775751458287037321463210","294268701189291199123888170460374916188","24961642600297195342164888948858260154","129317413791818856815644527685599871799"]},"id":"CVE-2024-7254-8cf66719","signature_type":"Line","deprecated":false},{"target":{"file":"java/lite/src/test/java/com/google/protobuf/LiteTest.java"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["92273624040218165778987697797792380720","81525801942758895160828723104013261995","241044337175306843160308758859746429129","160531667966112287605753022255151236614","100435754983116611431478047320981963593","324837249835571934525420407386979029348","24734704794166928727777614298399665820","86118173199264051695381862993566979662","139515334792916736183679688177651617388","251135687449804296650880880240700788623","239974696282359619535496261995776110048","42957001103383622642059814999783710523","110848489944646821233482879575670719863"]},"id":"CVE-2024-7254-9988d8d4","signature_type":"Line","deprecated":false},{"target":{"file":"java/core/src/main/java/com/google/protobuf/UnknownFieldSchema.java"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["331837591212601565404889112357441580747","6848830727921630298366094500443245455","337032765652427255037688029722863516341","109853233186423233996409611364920863013","159204753246371336798510571774129811201","333810459316441745068039040687153935672","15475016457827397842140856676540627879"]},"id":"CVE-2024-7254-9c51baed","signature_type":"Line","deprecated":false},{"target":{"file":"java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["280155160883867168633966633787872132746","249270040444639382789703269790216933115","483488570655035415058762629769103926","159460365723612061991314749211322806383"]},"id":"CVE-2024-7254-be705a3b","signature_type":"Line","deprecated":false},{"target":{"file":"java/core/src/main/java/com/google/protobuf/InvalidProtocolBufferException.java","function":"recursionLimitExceeded"},"source":"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa","signature_version":"v1","digest":{"length":191,"function_hash":"193954467700084152208333944298167438950"},"id":"CVE-2024-7254-c632972f","signature_type":"Function","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}