7.5

CVSS Score

Basic Information

CVE ID

CVE-2024-24786

GHSA ID

GHSA-8r3f-844c-mc37

EPSS Score

CWE

CWE-835

Published

3/6/2024

Updated

11/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24786

CVE-2024-24786:
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2024-24786

GHSA ID

GHSA-8r3f-844c-mc37

EPSS Score

CWE

CWE-835

Published

3/6/2024

Updated

11/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
google.golang.org/protobuf	go	< 1.33.0	1.33.0
google.golang.org/protobuf/encoding/protojson	go	< 1.33.0	1.33.0
google.golang.org/protobuf/internal/encoding/json	go	< 1.33.0	1.33.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2024-24786 describes an infinite loop in protojson.Unmarshal. The provided commit f01a588e5810b90996452eec4a28f22a0afae023 addresses this.

protojson.Unmarshal is identified as the primary affected function based on the vulnerability description. The loop occurs within its execution.
The patch modifies encoding/protojson.(*decoder).skipJSONValue by adding a check for json.EOF with a comment explicitly stating it's to 'Avoid an infinite loop'. This indicates skipJSONValue was directly involved in the loop.
The patch also modifies internal/encoding/json.(*Decoder).Read to correctly handle malformed JSON object closing tokens. The commit message explains this change fixes error handling for inputs like {"":}. Incorrect parsing by Read could lead to the conditions causing the infinite loop in higher-level functions like skipJSONValue or within the broader Unmarshal logic. Therefore, Unmarshal is the entry point, and the loop was caused by issues in its dependent functions skipJSONValue and Decoder.Read when processing specific invalid JSON inputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** protojson.Unm*rs**l *un*tion **n *nt*r *n in*init* loop w**n unm*rs**lin* **rt*in *orms o* inv*li* JSON. T*is *on*ition **n o**ur w**n unm*rs**lin* into * m*ss*** w*i** *ont*ins * *oo*l*.proto*u*.*ny v*lu*, or w**n t** Unm*rs**lOptions.*is**r*Unk

Reasoning

T** vuln*r**ility *V*-****-***** **s*ri**s *n in*init* loop in `protojson.Unm*rs**l`. T** provi*** *ommit `****************************************` ***r*ss*s t*is. *. `protojson.Unm*rs**l` is i**nti*i** *s t** prim*ry *****t** *un*tion **s** on t**

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-24786: Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-24786:
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

Vulnerability Intelligence
Miggo AI