{"id":"GHSA-hw7c-3rfg-p46j","summary":"google.golang.org/protobuf vulnerable to panic leading to denial of service","details":"Parsing invalid messages can panic.\n\nParsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.","aliases":["CVE-2023-24535","GO-2023-1631"],"modified":"2026-02-04T04:21:52.366702Z","published":"2023-03-14T23:01:50Z","related":["CGA-fm8q-xqj8-xg8c"],"database_specific":{"github_reviewed_at":"2023-03-14T23:01:50Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-125"],"nvd_published_at":"2023-06-08T21:15:16Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24535"},{"type":"WEB","url":"https://github.com/golang/protobuf/issues/1530"},{"type":"PACKAGE","url":"https://github.com/golang/protobuf"},{"type":"WEB","url":"https://go.dev/cl/475995"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2023-1631"}],"affected":[{"package":{"name":"google.golang.org/protobuf","ecosystem":"Go","purl":"pkg:golang/google.golang.org/protobuf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.29.0"},{"fixed":"1.29.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-hw7c-3rfg-p46j/GHSA-hw7c-3rfg-p46j.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}