GSA_kwCzR0hTQS1yeGY2LTMyM2YtNDRmY84ABJvM

Moderate EPSS: 0.00064% (0.20319 Percentile) EPSS:

Permalink JSON

rust-protobuf crate is vulnerable to Uncontrolled Recursion, potentially leading to DoS

Affected Packages	Affected Versions	Fixed Versions
cargo:protobuf	< 3.7.2	3.7.2
510 Dependent packages 3,839 Dependent repositories 60,826,266 Downloads total Affected Version Ranges All affected versions 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.6.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.4.0, 2.4.2, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.18.0, 2.18.1, 2.18.2, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.22.1, 2.23.0, 2.24.0, 2.24.1, 2.24.2, 2.25.0, 2.25.1, 2.25.2, 2.26.0, 2.26.1, 2.27.0, 2.27.1, 2.28.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.7.1 All unaffected versions 3.7.2

The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.

References:

Identifiers

GHSA-rxf6-323f-44fc

CVE-2025-53605

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00064

EPSS Percentile: 0.20319

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/stepancheg/rust-protobuf

Date and time

Published

23 days ago

Updated

20 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories