High severityNVD Advisory· Published Dec 18, 2023· Updated Nov 21, 2025

Infinispan: circular reference on marshalling leads to dos

CVE-2023-5236

Description

Infinispan unmarshalling fails to detect circular object references, allowing authenticated attackers to cause OOM and DoS by inserting crafted objects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Infinispan unmarshalling fails to detect circular object references, allowing authenticated attackers to cause OOM and DoS by inserting crafted objects.

A flaw in Infinispan's unmarshalling process does not detect circular object references [1][2]. When deserializing data, the system can recurse indefinitely on self-referential objects, leading to excessive memory consumption.

An authenticated attacker with sufficient permissions can exploit this by inserting a maliciously crafted object into the cache [1][2]. The attack requires authenticated access to the cache and the ability to store objects, but no special network position beyond that.

The impact is a denial of service due to out-of-memory errors [1][2]. The uncontrolled recursion can exhaust available memory, causing the Infinispan server or application to crash or become unresponsive.

The issue has been addressed in the protostream library by limiting nested message depth during marshalling [3]. Red Hat Data Grid 8.4.4 includes this fix and is available as a security update [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.infinispan.protostream:protostreamMaven	< 4.6.2.Final	4.6.2.Final

Affected products

Red Hat/Red Hat build of Apache Camel 4 for Quarkus 3v5
cpe:/a:redhat:camel_quarkus:3
Red Hat/Build Of Apache Camel For Spring Bootcpe-rescue
cpe:/a:redhat:camel_spring_boot:4
Red Hat/Red Hat build of Debezium 2v5
cpe:/a:redhat:debezium:2
Red Hat/Red Hat build of Debezium 3v5
cpe:/a:redhat:debezium:3
Red Hat/Red Hat Data Grid 8v5
cpe:/a:redhat:jboss_data_grid:8
Red Hat/Jboss Enterprise Application Platform Expansion Packcpe-rescue
cpe:/a:redhat:jbosseapxp
Red Hat/Jboss Enterprise Application Platformcpe-rescue2 versions
cpe:/a:redhat:jboss_enterprise_application_platform:7+ 1 more
- cpe:/a:redhat:jboss_enterprise_application_platform:7
- cpe:/a:redhat:jboss_enterprise_application_platform:8
Red Hat/Process Automationcpe-rescue
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Red Hat/Red Hat Fuse 7v5
cpe:/a:redhat:jboss_fuse:7
Red Hat/Red Hat build of Quarkusv5
cpe:/a:redhat:quarkus:3
Red Hat/Single Sign Oncpe-rescue
cpe:/a:redhat:red_hat_single_sign_on:7
osv-coords13 versions
pkg:apk/chainguard/infinispan-15.0 pkg:apk/chainguard/infinispan-15.0-compat pkg:apk/chainguard/infinispan-15.0-images pkg:apk/chainguard/infinispan-15.1 pkg:apk/chainguard/infinispan-15.1-compat pkg:apk/chainguard/infinispan-15.1-images pkg:apk/chainguard/infinispan-15.2 pkg:apk/chainguard/infinispan-15.2-compat pkg:apk/chainguard/infinispan-15.2-images pkg:apk/wolfi/infinispan-15.2 pkg:apk/wolfi/infinispan-15.2-compat pkg:apk/wolfi/infinispan-15.2-images pkg:maven/org.infinispan.protostream/protostream
< 15.0.21-r1+ 12 more
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.0.21-r1
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.1.7-r3
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 15.2.6-r1
- (no CPE)range: < 4.6.2.Final

Patches

4501b6b307a6

IPROTO-263 Limit message nested depth on generated marshallers

https://github.com/infinispan/protostreamFabio Massimo ErcoliMar 27, 2023via ghsa

commit

3 files changed · +37 −0

core/src/main/java/org/infinispan/protostream/annotations/impl/GeneratedMarshallerBase.java+8 −0 modified

@@ -5,6 +5,7 @@
 import org.infinispan.protostream.ProtobufTagMarshaller;
 import org.infinispan.protostream.impl.BaseMarshallerDelegate;
 import org.infinispan.protostream.impl.ByteArrayOutputStreamEx;
+import org.infinispan.protostream.impl.Log;
 import org.infinispan.protostream.impl.TagWriterImpl;
 
 /**
@@ -16,6 +17,8 @@
 @SuppressWarnings("unused")
 public class GeneratedMarshallerBase {
 
+   private static final Log log = Log.LogFactory.getLog(GeneratedMarshallerBase.class);
+
    /**
     * Invoked by generated code.
     */
@@ -38,6 +41,11 @@ protected final <T> void writeMessage(BaseMarshallerDelegate<T> marshallerDelega
     * Invoked by generated code.
     */
    protected final <T> void writeNestedMessage(BaseMarshallerDelegate<T> marshallerDelegate, ProtobufTagMarshaller.WriteContext ctx, int fieldNumber, T message) throws IOException {
+      int maxNestedMessageDepth = ctx.getSerializationContext().getConfiguration().maxNestedMessageDepth();
+      if (ctx.depth() >= maxNestedMessageDepth) {
+         throw log.maxNestedMessageDepth(maxNestedMessageDepth, message.getClass());
+      }
+
       ByteArrayOutputStreamEx baos = new ByteArrayOutputStreamEx();
       TagWriterImpl nested = TagWriterImpl.newNestedInstance(ctx, baos);
       writeMessage(marshallerDelegate, nested, message);

core/src/main/java/org/infinispan/protostream/exception/ProtoStreamException.java+24 −0 added

@@ -0,0 +1,24 @@
+package org.infinispan.protostream.exception;
+
+public class ProtoStreamException extends RuntimeException {
+
+   public ProtoStreamException() {
+      super();
+   }
+
+   public ProtoStreamException(Throwable cause) {
+      super(cause);
+   }
+
+   public ProtoStreamException(String msg) {
+      super(msg);
+   }
+
+   public ProtoStreamException(String msg, Throwable cause) {
+      super(msg, cause);
+   }
+
+   public ProtoStreamException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+      super(message, cause, enableSuppression, writableStackTrace);
+   }
+}

core/src/main/java/org/infinispan/protostream/impl/Log.java+5 −0 modified

@@ -5,6 +5,7 @@
 import java.io.IOException;
 
 import org.infinispan.protostream.MalformedProtobufException;
+import org.infinispan.protostream.exception.ProtoStreamException;
 import org.jboss.logging.BasicLogger;
 import org.jboss.logging.Logger;
 import org.jboss.logging.annotations.Cause;
@@ -45,6 +46,10 @@ default MalformedProtobufException messageTruncated() {
    @Message(value = "Ran out of buffer space", id = 7)
    IOException outOfWriteBufferSpace(@Cause Throwable cause);
 
+   @Message(value = "The nested message depth appears to be larger than the configured limit of '%s'." +
+         "It is possible that the entity to marshall with type '%s' can have some circular dependencies.", id = 8)
+   ProtoStreamException maxNestedMessageDepth(int maxNestedMessageDepth, Class<?> entityType);
+
    class LogFactory {
       public static Log getLog(Class<?> clazz) {
          return Logger.getMessageLogger(Log.class, clazz.getName());

50320b5987dc

IPROTO-263 Allow to configure the DEFAULT_MAX_NESTED_DEPTH

https://github.com/infinispan/protostreamFabio Massimo ErcoliMar 27, 2023via ghsa

commit

2 files changed · +29 −1

core/src/main/java/org/infinispan/protostream/config/Configuration.java+11 −0 modified

@@ -15,6 +15,8 @@
  */
 public interface Configuration {
 
+   int DEFAULT_MAX_NESTED_DEPTH = 100;
+
    /**
     * The name of the TypeId annotation. This optional annotation defines a unique positive integer type identifier for
     * each message or enum type. This can be used alternatively instead of the fully qualified type name during
@@ -35,6 +37,13 @@ public interface Configuration {
     */
    boolean logOutOfSequenceWrites();
 
+   /**
+    * The max nested message depth to apply to all {@link org.infinispan.protostream.annotations.impl.GeneratedMarshallerBase}s.
+    * This value is used as way to avoid recurring on circular dependencies without the need to maintain the list of already visited entities.
+    * Default to {@link #DEFAULT_MAX_NESTED_DEPTH}
+    */
+   int maxNestedMessageDepth();
+
    WrappingConfig wrappingConfig();
 
    interface WrappingConfig {
@@ -84,6 +93,8 @@ interface Builder {
 
       Builder setLogOutOfSequenceWrites(boolean logOutOfSequenceWrites);
 
+      Builder maxNestedMessageDepth(int maxNestedMessageDepth);
+
       /**
        * Should we log a warning every time we encounter an undefined documentation annotation? This is {@code true} by
        * default.

core/src/main/java/org/infinispan/protostream/config/impl/ConfigurationImpl.java+18 −1 modified

@@ -23,11 +23,15 @@ public final class ConfigurationImpl implements Configuration {
 
    private final AnnotationsConfigImpl annotationsConfig;
 
+   private final int maxNestedMessageDepth;
+
    private ConfigurationImpl(boolean logOutOfSequenceReads, boolean logOutOfSequenceWrites,
+                             int maxNestedMessageDepth,
                              WrappedMessageTypeIdMapper wrappedMessageTypeIdMapper,
                              Map<String, AnnotationConfigurationImpl> annotations, boolean logUndefinedAnnotations) {
       this.logOutOfSequenceReads = logOutOfSequenceReads;
       this.logOutOfSequenceWrites = logOutOfSequenceWrites;
+      this.maxNestedMessageDepth = maxNestedMessageDepth;
       this.wrappingConfig = new WrappingConfigImpl(wrappedMessageTypeIdMapper);
       this.annotationsConfig = new AnnotationsConfigImpl(annotations, logUndefinedAnnotations);
    }
@@ -42,6 +46,11 @@ public boolean logOutOfSequenceWrites() {
       return logOutOfSequenceWrites;
    }
 
+   @Override
+   public int maxNestedMessageDepth() {
+      return maxNestedMessageDepth;
+   }
+
    @Override
    public WrappingConfig wrappingConfig() {
       return wrappingConfig;
@@ -114,6 +123,8 @@ public static final class BuilderImpl implements Builder {
 
       private boolean logOutOfSequenceWrites = true;
 
+      private int maxNestedMessageDepth = Configuration.DEFAULT_MAX_NESTED_DEPTH;
+
       private WrappingConfigBuilderImpl wrappingConfigBuilder = null;
 
       private AnnotationsConfigBuilderImpl annotationsConfigBuilder = null;
@@ -180,6 +191,12 @@ public Builder setLogOutOfSequenceWrites(boolean logOutOfSequenceWrites) {
          return this;
       }
 
+      @Override
+      public Builder maxNestedMessageDepth(int maxNestedMessageDepth) {
+         this.maxNestedMessageDepth = maxNestedMessageDepth;
+         return this;
+      }
+
       @Override
       public WrappingConfigBuilderImpl wrappingConfig() {
          if (wrappingConfigBuilder == null) {
@@ -228,7 +245,7 @@ public Configuration build() {
 
          // TypeId is the only predefined annotation. If there are more than one then we know we have at least one user defined.
          boolean logUndefinedAnnotations = annotationsConfig().logUndefinedAnnotations == null ? annotations.size() > 1 : annotationsConfig().logUndefinedAnnotations;
-         return new ConfigurationImpl(logOutOfSequenceReads, logOutOfSequenceWrites,
+         return new ConfigurationImpl(logOutOfSequenceReads, logOutOfSequenceWrites, maxNestedMessageDepth,
                wrappingConfig().wrappedMessageTypeIdMapper,
                annotations, logUndefinedAnnotations);
       }

4ef66958f2c4

IPROTO-263 Count recursion depth on nested tag writers

https://github.com/infinispan/protostreamFabio Massimo ErcoliMar 27, 2023via ghsa

commit

2 files changed · +11 −0

core/src/main/java/org/infinispan/protostream/impl/TagWriterImpl.java+9 −0 modified

@@ -34,6 +34,8 @@ public final class TagWriterImpl implements TagWriter, ProtobufTagMarshaller.Wri
 
    private final TagWriterImpl parent;
 
+   private final int depth;
+
    // lazily initialized
    private Map<Object, Object> params = null;
 
@@ -43,12 +45,14 @@ public final class TagWriterImpl implements TagWriter, ProtobufTagMarshaller.Wri
 
    private TagWriterImpl(TagWriterImpl parent, Encoder encoder) {
       this.parent = parent;
+      this.depth = parent.depth + 1;
       this.serCtx = parent.serCtx;
       this.encoder = encoder;
    }
 
    private TagWriterImpl(SerializationContextImpl serCtx, Encoder encoder) {
       this.parent = null;
+      this.depth = 0;
       this.serCtx = serCtx;
       this.encoder = encoder;
    }
@@ -274,6 +278,11 @@ public TagWriter getWriter() {
       return this;
    }
 
+   @Override
+   public int depth() {
+      return depth;
+   }
+
    /**
     * @deprecated this will be removed in 5.0 together with {@link org.infinispan.protostream.MessageMarshaller}
     */

core/src/main/java/org/infinispan/protostream/ProtobufTagMarshaller.java+2 −0 modified

@@ -45,5 +45,7 @@ interface ReadContext extends OperationContext {
     */
    interface WriteContext extends OperationContext {
       TagWriter getWriter();
+
+      int depth();
    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2023:5396ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-488m-w9fp-5mm2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-5236ghsaADVISORY
access.redhat.com/security/cve/CVE-2023-5236ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/infinispan/protostream/commit/4501b6b307a6bab545346f66238f8be7e42f83ebghsaWEB
github.com/infinispan/protostream/commit/4ef66958f2c4890ae1c6a7acd629d27bd88aa4cbghsaWEB
github.com/infinispan/protostream/commit/50320b5987dc87bc04b616b87e8cf93472ee19c1ghsaWEB
issues.redhat.com/browse/IPROTO-262ghsaWEB
issues.redhat.com/browse/IPROTO-263ghsaWEB
issues.redhat.com/browse/ISPN-14534ghsaWEB
security.netapp.com/advisory/ntap-20240125-0004ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000