Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cjNmLTg0NGMtbWMzN84AA5yO
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Permalink: https://github.com/advisories/GHSA-8r3f-844c-mc37JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cjNmLTg0NGMtbWMzN84AA5yO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
Identifiers: GHSA-8r3f-844c-mc37, CVE-2024-24786
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-24786
- https://go.dev/cl/569356
- https://pkg.go.dev/vuln/GO-2024-2611
- https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
- https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
- https://github.com/advisories/GHSA-8r3f-844c-mc37
Blast Radius: 0.0
Affected Packages
go:google.golang.org/protobuf/internal/encoding/json
Affected Version Ranges: < 1.33.0Fixed in: 1.33.0
go:google.golang.org/protobuf/encoding/protojson
Affected Version Ranges: < 1.33.0Fixed in: 1.33.0
go:google.golang.org/protobuf
Dependent packages: 86,079Dependent repositories: 148,671
Downloads:
Affected Version Ranges: < 1.33.0
Fixed in: 1.33.0
All affected versions: 1.20.0, 1.20.1, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.27.1, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0, 1.31.0, 1.32.0
All unaffected versions: 1.33.0