Google Protobuf Pure-Python backend
Moderate fix1 remedy
cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*
Moderate fix1 remedy
Protobuf Recursive Group and Message Processing Denial-of-Service Vulnerability
Vulnerability
Patched
A denial-of-service vulnerability has been identified in the Protobuf library's pure-Python backend. This issue arises when untrusted Protocol Buffers data is parsed, particularly if it contains recursive groups, recursive messages, or a series of SGROUP tags. The vulnerability exploits Python's recursion limit, leading to a RecursionError that crashes the application. The problem is present in Protobuf versions prior to 6.31.1.
Impact
Exceeding the Python recursion limit causes a RecursionError, crashing the application.
Reproduction
The vulnerability can be reproduced by using the Protobuf pure-Python backend to parse Protocol Buffers data that includes an arbitrary number of recursive groups or messages, or a series of SGROUP tags. This can be done by creating a self-referential Protocol Buffers message definition and then serializing a message that exceeds the recursion limit. The application will crash with a RecursionError, demonstrating the denial-of-service condition.
Remediation
Users are advised to upgrade to Protobuf version 6.31.1 or later.
Added: Jun 16, 2025, 3:19 PM
Updated: Jun 16, 2025, 3:19 PM
Vulnerability Rating
Custom Algorithm
spread
6.6impact
2.5exploitability
5.4remediation
7.7relevance
0.2threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.