GHSA-2gh3-rmm4-6rq5: Crash due to uncontrolled recursion in protobuf crate

March 7, 2025 (updated March 11, 2025)

Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.

This allows an attacker to cause a stack overflow when parsing the message on untrusted data.

References

github.com/advisories/GHSA-2gh3-rmm4-6rq5
github.com/stepancheg/rust-protobuf
github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6
github.com/stepancheg/rust-protobuf/issues/749
rustsec.org/advisories/RUSTSEC-2024-0437.html

Code Behaviors & Features

Detect and mitigate GHSA-2gh3-rmm4-6rq5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →