Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04cjNmLTg0NGMtbWMzN84AA5yO

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Permalink: https://github.com/advisories/GHSA-8r3f-844c-mc37
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cjNmLTg0NGMtbWMzN84AA5yO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 24 days ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-8r3f-844c-mc37, CVE-2024-24786
References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-24786
• https://go.dev/cl/569356
• https://pkg.go.dev/vuln/GO-2024-2611
• https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
• https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
• https://lists.fedoraproject.org/archives/list/[email protected]/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
• http://www.openwall.com/lists/oss-security/2024/03/08/4
• https://security.netapp.com/advisory/ntap-20240517-0002
• https://github.com/advisories/GHSA-8r3f-844c-mc37

Repository: https://github.com/protocolbuffers/protobuf-go
Blast Radius: 38.8

Affected Packages