7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7254

GHSA ID

GHSA-735f-pc8j-v9w8

EPSS Score

0.33072%

CWE

CWE-20

Published

9/19/2024

Updated

4/23/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7254

CVE-2024-7254: protobuf-java has potential Denial of Service issue

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

protobuf-java (3.25.5, 4.27.5, 4.28.2)
protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7254

GHSA ID

GHSA-735f-pc8j-v9w8

EPSS Score

0.33072%

CWE

CWE-20

Published

9/19/2024

Updated

4/23/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.protobuf:protobuf-java	maven	< 3.25.5	3.25.5
com.google.protobuf:protobuf-javalite	maven	< 3.25.5	3.25.5
com.google.protobuf:protobuf-kotlin	maven	< 3.25.5	3.25.5
com.google.protobuf:protobuf-kotlin-lite	maven	< 3.25.5	3.25.5
google-protobuf	rubygems	< 3.25.5	3.25.5
google-protobuf	rubygems	>= 4.0.0.rc.1, < 4.27.5	4.27.5
google-protobuf	rubygems	>= 4.28.0.rc.1, < 4.28.2	4.28.2
com.google.protobuf:protobuf-kotlin-lite	maven	>= 4.0.0.rc.1, < 4.27.5	4.27.5
com.google.protobuf:protobuf-kotlin-lite	maven	>= 4.28.0.rc.1, < 4.28.2	4.28.2
com.google.protobuf:protobuf-kotlin	maven	>= 4.0.0.rc.1, < 4.27.5	4.27.5
com.google.protobuf:protobuf-kotlin	maven	>= 4.28.0.rc.1, < 4.28.2	4.28.2
com.google.protobuf:protobuf-javalite	maven	>= 4.0.0.rc.1, < 4.27.5	4.27.5
com.google.protobuf:protobuf-javalite	maven	>= 4.28.0.rc.1, < 4.28.2	4.28.2
com.google.protobuf:protobuf-java	maven	>= 4.0.0.rc.1, < 4.27.5	4.27.5
com.google.protobuf:protobuf-java	maven	>= 4.28.0.rc.1, < 4.28.2	4.28.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service caused by stack overflow due to unbounded recursion when parsing protobuf messages with deeply nested unknown groups. I analyzed the provided commit patches, focusing on changes that introduced recursion depth counters and limits. The functions where these checks were added are considered the previously vulnerable functions. Key functions identified are those directly involved in decoding/merging unknown fields (especially groups), such as com.google.protobuf.ArrayDecoders.decodeUnknownField and com.google.protobuf.UnknownFieldSchema.mergeOneFieldFrom / com.google.protobuf.UnknownFieldSchema.mergeFrom. Additionally, com.google.protobuf.CodedInputStream.skipMessage was patched as skipping deeply nested structures could also trigger the vulnerability. Functions for merging known message and group fields (com.google.protobuf.ArrayDecoders.mergeMessageField, com.google.protobuf.ArrayDecoders.mergeGroupField) also received recursion checks, indicating they could be part of problematic recursion chains, though the vulnerability description emphasizes 'unknown fields'.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n p*rsin* unknown *i*l*s in t** Proto*u* J*v* Lit* *n* *ull li*r*ry, * m*li*iously *r**t** m*ss*** **n **us* * St**kOv*r*low *rror *n* l*** to * pro*r*m *r*s*. R*port*r: *l*xis ***ll*n**, Tr*il o* *its **osyst*m S**urity T**m <**osyst

Reasoning

T** vuln*r**ility is * **ni*l o* S*rvi** **us** *y st**k ov*r*low *u* to un*oun*** r**ursion w**n p*rsin* proto*u* m*ss***s wit* ***ply n*st** unknown *roups. I *n*lyz** t** provi*** *ommit p*t***s, *o*usin* on ***n**s t**t intro*u*** r**ursion **pt*

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-7254: protobuf-java has potential Denial of Service issue

Summary

Severity

Proof of Concept

Remediation and Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI