High severityNVD Advisory· Published Jun 8, 2023· Updated Jan 6, 2025
Panic when parsing invalid messages in google.golang.org/protobuf
CVE-2023-24535
Description
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
google.golang.org/protobufGo | >= 1.29.0, < 1.29.1 | 1.29.1 |
Affected products
4- osv-coords3 versions
< 0.13.0-r3+ 2 more
- (no CPE)range: < 0.13.0-r3
- (no CPE)range: < 0.13.0-r3
- (no CPE)range: >= 1.29.0, < 1.29.1
- Range: 1.29.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-hw7c-3rfg-p46jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24535ghsaADVISORY
- github.com/golang/protobuf/issues/1530ghsaWEB
- go.dev/cl/475995ghsaWEB
- pkg.go.dev/vuln/GO-2023-1631ghsaWEB
News mentions
0No linked articles in our index yet.