Reported

December 12, 2024

Issued

March 7, 2025

Package

protobuf (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#panic

References

• https://github.com/stepancheg/rust-protobuf/issues/749

Related

• GHSA-735f-pc8j-v9w8

Patched

no patched versions

Affected Functions

Version

protobuf::coded_input_stream::CodedInputStream::skip_group

• <=3.4.0

Description

Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.

This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data.

Advisory available under CC0-1.0 license.