CVE-2024-7254: Stack overflow in Protocol Buffers Java Lite

Published Sep 19, 2024
·
Updated

Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

Other sources

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Red Hat

Affected Software

37 affected componentsFixes available
debian/protobuf<=3.12.4-1+deb11u1, <=3.21.12-3, <=3.21.12-10
debian/rust-protobuf<=2.27.1-1
maven/com.google.protobuf:protobuf-java>=4.28.0.rc.1<4.28.2
4.28.2
maven/com.google.protobuf:protobuf-java>=4.0.0.rc.1<4.27.5
4.27.5
maven/com.google.protobuf:protobuf-javalite>=4.28.0.rc.1<4.28.2
4.28.2
maven/com.google.protobuf:protobuf-javalite>=4.0.0.rc.1<4.27.5
4.27.5
maven/com.google.protobuf:protobuf-kotlin>=4.28.0.rc.1<4.28.2
4.28.2
maven/com.google.protobuf:protobuf-kotlin>=4.0.0.rc.1<4.27.5
4.27.5
maven/com.google.protobuf:protobuf-kotlin-lite>=4.28.0.rc.1<4.28.2
4.28.2
maven/com.google.protobuf:protobuf-kotlin-lite>=4.0.0.rc.1<4.27.5
4.27.5
rubygems/google-protobuf>=4.28.0.rc.1<4.28.2
4.28.2
rubygems/google-protobuf>=4.0.0.rc.1<4.27.5
4.27.5
rubygems/google-protobuf<3.25.5
3.25.5
maven/com.google.protobuf:protobuf-kotlin-lite<3.25.5
3.25.5
maven/com.google.protobuf:protobuf-kotlin<3.25.5
3.25.5
maven/com.google.protobuf:protobuf-javalite<3.25.5
3.25.5
maven/com.google.protobuf:protobuf-java<3.25.5
3.25.5
Google Protobuf Ruby<3.25.5
Google Protobuf Ruby>=4.0.0<4.27.5
Google Protobuf Ruby>=4.28.0<4.28.2
Google protobuf-java<3.25.5
Google protobuf-java>=4.0.0<4.27.5
Google protobuf-java>=4.28.0<4.28.2
Google protobuf-javalite<3.25.5
Google protobuf-javalite>=4.0.0<4.27.5
Google protobuf-javalite>=4.28.0<4.28.2
Google protobuf-kotlin<3.25.5
Google protobuf-kotlin>=4.0.0<4.27.5
Google protobuf-kotlin>=4.28.0<4.28.2
Google protobuf-kotlin-lite<3.25.5
Google protobuf-kotlin-lite>=4.0.0<4.27.5
Google protobuf-kotlin-lite>=4.28.0<=4.28.2
NetApp Active Iq Unified Manager Linux
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
NetApp Bluexp
NetApp Ontap Tools Vmware Vsphere=10

Remediation

Patch Available

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

Event History

Sep 19, 2024
CVE Published
via MITRE·12:18 AM
Data Sourced
via MITRE·12:18 AM
DescriptionWeakness
Data Sourced
via NVD·01:15 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·01:15 AM
RemedyAffected Software
Data Sourced
via Red Hat·01:20 AM
DescriptionSeverityAffected Software
Advisory Published
via GitHub·04:06 PM
Feb 4, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Apr 18, 2025
Data Sourced
via Ubuntu·06:43 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-7254?

CVE-2024-7254 has a high severity rating due to its potential to cause application crashes through a StackOverflow error.

2

How do I fix CVE-2024-7254?

To mitigate CVE-2024-7254, upgrade to protobuf-java, protobuf-javalite, protobuf-kotlin, or protobuf-kotlin-lite version 4.28.2 or 4.27.5.

3

Which versions are affected by CVE-2024-7254?

CVE-2024-7254 affects protobuf-java, protobuf-javalite, protobuf-kotlin, and protobuf-kotlin-lite versions between 4.0.0.rc.1 and 4.28.2 inclusive.

4

What causes the CVE-2024-7254 vulnerability?

CVE-2024-7254 is caused by the parsing of unknown fields in the Protobuf library, which can lead to a StackOverflow error.

5

Is there a workaround for CVE-2024-7254?

The best approach to address CVE-2024-7254 is to update to the latest secure versions of the affected Protobuf libraries.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203