Primary

Context

Google Protocol Buffers Denial-of-Service Vulnerability in JSON Parsing of Nested Any Messages

Vulnerability

A denial-of-service vulnerability has been identified in the Google Protocol Buffers library for Python. The issue arises in the 'json_format.ParseDict()' function, where the maximum recursion depth limit can be circumvented when processing nested 'google.protobuf.Any' messages. This vulnerability is caused by inadequate recursion depth management in the internal logic that handles 'Any' types. An attacker can exploit this by providing deeply nested 'Any' structures that bypass the intended recursion limit, leading to a stack overflow and a 'RecursionError'.

Impact

Exploitation of this vulnerability causes a stack overflow, resulting in a 'RecursionError' and a denial-of-service condition.

Remediation

Users can update to the latest version of Google Protocol Buffers, where this vulnerability has been addressed, to mitigate this issue.

Added: Jan 23, 2026, 3:57 PM

Updated: Jan 23, 2026, 3:57 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.7

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

4.7

remediation

7.7

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Google Protocol Buffers Denial-of-Service Vulnerability in JSON Parsing of Nested Any Messages

Vulnerability

Impact

Remediation

Affected Products

google.protobuf

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating