Panic when parsing invalid messages in google.golang.org/protobuf
Description
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Parsing a text-format protobuf message with a minus sign followed by whitespace and no further input causes a panic.
Root
Cause
CVE-2023-24535 is a denial-of-service vulnerability in the Go protobuf library's text format parsing. The issue arises when the parser encounters a potential number consisting of a minus sign, one or more whitespace characters, and then no additional input. This causes the parser to panic, as it does not properly handle the incomplete numeric token after the minus sign [1][4].
Attack
Vector
An attacker who can supply a crafted text-format protobuf message to an application that parses it can trigger the panic. The attack requires no special privileges or authentication; the malformed message simply needs to be parsed by a vulnerable version of the protobuf library. The specific payload, as described in the report, is a line like s_int32: - # trailing space after - [4]. This is a text-format message field that starts with a minus sign, followed by whitespace (e.g., a space or tab), and then the input ends.
Impact
Successful exploitation causes the application to crash due to an unhandled panic. This constitutes a denial-of-service condition. The impact is limited to availability, but any service that parses protobuf text format from untrusted sources is vulnerable.
Mitigation
The vulnerability has been patched in the Go protobuf module. Users of the google.golang.org/protobuf or github.com/golang/protobuf module should update to a fixed version. The fix addresses the incomplete number parsing by handling the case where no digits follow the minus sign and whitespace [3]. No workaround other than updating is recommended.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
google.golang.org/protobufGo | >= 1.29.0, < 1.29.1 | 1.29.1 |
Affected products
4- osv-coords3 versions
< 0.13.0-r3+ 2 more
- (no CPE)range: < 0.13.0-r3
- (no CPE)range: < 0.13.0-r3
- (no CPE)range: >= 1.29.0, < 1.29.1
- Range: 1.29.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hw7c-3rfg-p46jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24535ghsaADVISORY
- github.com/golang/protobuf/issues/1530ghsaWEB
- go.dev/cl/475995ghsaWEB
- pkg.go.dev/vuln/GO-2023-1631ghsaWEB
News mentions
0No linked articles in our index yet.