CVE-2024-7254
Overview
Protocol Buffers (protobuf) is Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. Its Java runtime (protobuf-java) provides the generated message classes and the parsing and serialization APIs that Java applications use to read and write Protocol Buffer messages.
A Denial of Service vulnerability CVE-2024-7254 has been identified in the protobuf-java runtime, which allows a remote attacker to submit a crafted Protocol Buffer message whose deeply nested unknown group fields drive the parser into unbounded recursion, exhausting the JVM call stack and raising a StackOverflowError that aborts parsing and denies service.
Per OWASP The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others.
NVD scores this vulnerability 8.7 (High) under CVSS v4.0 with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, and 7.5 (High) under CVSS v3.1 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Both scores reflect an availability-only impact: no privileges and no user interaction are required, and the outcome is denial of service with no confidentiality or integrity effect.
This issue affects multiple versions of Protocol Buffers, including every 3.x release of protobuf-java prior to 3.25.5, which encompasses the 3.21.x line that HeroDevs supports, as well as 4.x releases prior to 4.27.5 and 4.28.2.
Details
Module Info
- Product: Protocol Buffers
- Affected packages: com.google.protobuf:protobuf-java, com.google.protobuf:protobuf-javalite, com.google.protobuf:protobuf-kotlin, com.google.protobuf:protobuf-kotlin-lite
- Affected versions: <3.25.5, >=4.0.0-RC1 <4.27.5, >=4.28.0-RC1 <4.28.2
- GitHub repository: https://github.com/protocolbuffers/protobuf
- Published packages: https://central.sonatype.com/artifact/com.google.protobuf/protobuf-java
- Package manager: Maven
- Fixed in:
- NES for Protocol Buffers 3.21.14
- OSS Protocol Buffers (protobuf-java) 3.25.5
Vulnerability Info
This High-severity vulnerability is found in the protobuf-java package in multiple versions of Protocol Buffers. Protocol Buffers encodes each field on the wire with a tag, and group-typed fields are delimited by a start-group (SGROUP) tag and a matching end-group tag. When the parser encounters a start-group tag whose field number is not present in the target message schema, it handles the field on the unknown-field path, recursing to merge the nested group's contents.
On the affected releases, that unknown-field group merge carries no recursion ceiling. In UnknownFieldSchema, mergeOneFieldFrom recurses into each nested group without tracking depth:
final boolean mergeOneFieldFrom(B unknownFields, Reader reader) throws IOException {
...
mergeFrom(subFields, reader); // recurse into the nested group, no depth check
The same gap exists on the group-skip path: CodedInputStream.skipMessage() is declared abstract, and each concrete decoder skips a nested group with no recursion accounting, so discarding unknown fields (for example through DiscardUnknownFieldsParser) is equally unbounded. The known-field merge paths already consulted a recursion limit, but the unknown-field group merge and skip paths did not.
Because each nested start-group tag adds a Java stack frame with no ceiling, an attacker who can hand a protobuf parser an untrusted byte payload, through Message.parseFrom, Builder.mergeFrom, or the lite parser, can supply a long run of start-group tags for field numbers absent from the schema and drive recursion until the thread's stack is exhausted. The parse fails with an uncaught StackOverflowError rather than the parser's normal InvalidProtocolBufferException, terminating the request and, on threaded servers, potentially destabilizing the worker thread. No authentication, special configuration, or particular message type is required, and the impact is limited to availability, with no memory disclosure or code execution.
This vulnerability has been present since Protocol Buffers v2.6.1.
Mitigation
Only the most recent release of Protocol Buffers is community-supported. The affected 3.21.x line is End-of-Life and has no publicly available fix; NES for Protocol Buffers is the remedy for that line.
Users of the affected components should apply one of the following mitigations:
- Upgrade protobuf-java to a currently supported release that contains the fix, such as 3.25.5 (or 4.27.5 / 4.28.2 on the 4.x lines).
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Alexis Challande from the Trail of Bits Ecosystem Security Team (finder)