CVE-2024-58103: Medium severity square wire vulnerability
Published Mar 16, 2025
·Updated
Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.
Affected Software
2 affected componentsFixes available
square Wire<5.2.0
maven/com.squareup.wire:wire-runtime<5.2.0
5.2.0
Event History
Mar 16, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 AM
DescriptionSeverityWeakness
Advisory Published
via GitHub·06:30 AM
Data Sourced
via GitHub·06:30 AM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-58103?
CVE-2024-58103 has a high severity due to the lack of recursion limit enforcement in nested groups.
2
How do I fix CVE-2024-58103?
To fix CVE-2024-58103, upgrade to Square Wire version 5.2.0 or later.
3
What are the potential risks associated with CVE-2024-58103?
CVE-2024-58103 can lead to a denial of service due to excessive memory consumption through deeply nested groups.
4
How does CVE-2024-58103 affect Square Wire?
CVE-2024-58103 affects Square Wire by allowing arbitrary nesting of groups that can overwhelm system resources.
5
Is CVE-2024-58103 exploitable in production environments?
Yes, CVE-2024-58103 is exploitable in production environments where Square Wire versions prior to 5.2.0 are being used.