GHSA-qjfj-3mm5-vrjg: Withdrawn Advisory: Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

April 16, 2026

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-p2gh-cfq4-4wjc. This link is maintained to preserve external references.

Original Description

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

References

github.com/advisories/GHSA-qjfj-3mm5-vrjg
github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc
nvd.nist.gov/vuln/detail/CVE-2026-6409

Code Behaviors & Features

Detect and mitigate GHSA-qjfj-3mm5-vrjg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →