Primary

Context

Square Wire Recursion Limit Vulnerability in Proto Reader Components

Vulnerability

Patched

A vulnerability exists in Square Wire versions prior to 5.2.0, where the application fails to enforce a recursion limit on nested groups within the ProtoReader components. This oversight can potentially lead to excessive memory usage or stack overflow errors.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by leading to a stack overflow, which can disrupt the normal operation of the application.

Reproduction

The vulnerability can be reproduced by using a version of Square Wire prior to 5.2.0 and creating a nested group structure that exceeds the default recursion limit. This can be done by crafting a Protocol Buffers message that includes repeated fields, which can be packed to create a deep nesting of groups. The ProtoReader will not properly enforce the recursion limit, leading to a stack overflow.

Remediation

Users can upgrade to Square Wire version 5.2.0 or later, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Square Wire Recursion Limit Vulnerability in Proto Reader Components

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Square Wire

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating