CVE-2024-24786

Aliases:GHSA-8r3f-844c-mc37GO-2024-2611
Advisory lineage Upstream: 0 Downstream: 43
Deferred
Published: 05 Mar 2024, 22:22
Last modified:13 Feb 2025, 17:40

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.53% LOW
1% probability +0.30%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

05 Mar 2024, 22:22
Published
Vulnerability first disclosed
13 Feb 2025, 17:40
Last Modified
Vulnerability information updated

Description

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

CVSS Metrics

  • v4.0HIGHScore: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.53% Percentile: 68%

Affected Systems

  • google.golang.orgprotobuf

    < 1.33.0

  • google.golang.org/protobuf/encodingprotojson

    < 1.33.0

  • google.golang.org/protobuf/internal/encodingjson

    < 1.33.0

  • google.golang.org/protobufgoogle.golang.org/protobuf/encoding/protojson

    < 1.33.0

  • google.golang.org/protobufgoogle.golang.org/protobuf/internal/encoding/json

    < 1.33.0

References (11)