CVE-2024-7254

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

CVSS Metrics

• v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
• v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.13%• Percentile: 33%

Techniques & Countermeasures

• CWE-400•Uncontrolled Resource Consumption

  The product does not properly control the allocation and maintenance of a limited resource.

• CWE-674•Uncontrolled Recursion

  The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

• RubyGems•google-protobuf

  < 3.25.5 | ≥ 4.0.0.rc.1, < 4.27.5 | ≥ 4.28.0.rc.1, < 4.28.2

• google•google-protobuf [jruby gem]

  < 3.25.5 | < 4.27.5 | < 4.28.2

• google•protobuf

  < 3.25.5 | ≥ 4.0.0, < 4.27.5 | ≥ 4.28.0, < 4.28.2

• google•protobuf-java

  < 4.27.5 | < 4.28.2 | < 3.25.5 | ≥ 4.0.0, < 4.27.5 | ≥ 4.28.0, < 4.28.2

• google•protobuf-javalite

  < 4.27.5 | < 4.28.2 | < 3.25.5 | ≥ 4.0.0, < 4.27.5 | ≥ 4.28.0, < 4.28.2

• google•protobuf-kotlin

  < 4.27.5 | < 4.28.2 | < 3.25.5 | ≥ 4.0.0, < 4.27.5 | ≥ 4.28.0, < 4.28.2

• google•protobuf-kotlin-lite

  < 3.25.5 | ≥ 4.0.0, < 4.27.5 | ≥ 4.28.0, ≤ 4.28.2

• google•protobuf-kotllin-lite

  < 3.25.5 | < 4.27.5 | < 4.28.2

• google•protocol buffers

  < 28.2

• com.google.protobuf•protobuf-java

  < 3.25.5 | ≥ 4.0.0-RC1, < 4.27.5 | ≥ 4.28.0-RC1, < 4.28.2

• com.google.protobuf•protobuf-javalite

  < 3.25.5 | ≥ 4.0.0-RC1, < 4.27.5 | ≥ 4.28.0-RC1, < 4.28.2

• com.google.protobuf•protobuf-kotlin

  < 3.25.5 | ≥ 4.0.0-RC1, < 4.27.5 | ≥ 4.28.0-RC1, < 4.28.2

• com.google.protobuf•protobuf-kotlin-lite

  < 3.25.5 | ≥ 4.0.0-RC1, < 4.27.5 | ≥ 4.28.0-RC1, < 4.28.2

• netapp•active_iq_unified_manager

  na

• netapp•bluexp

  na

• netapp•ontap_tools

  10

References (14)

• https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
• https://security.netapp.com/advisory/ntap-20241213-0010/
• https://security.netapp.com/advisory/ntap-20250418-0006/
• https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
• https://nvd.nist.gov/vuln/detail/CVE-2024-7254
• https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
• https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
• https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
• https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
• https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
• https://github.com/protocolbuffers/protobuf
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml
• https://security.netapp.com/advisory/ntap-20241213-0010
• https://security.netapp.com/advisory/ntap-20250418-0006