VYPR
High severityNVD Advisory· Published Sep 19, 2024· Updated Sep 8, 2025

Stack overflow in Protocol Buffers Java Lite

CVE-2024-7254

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.google.protobuf:protobuf-javaMaven
< 3.25.53.25.5
com.google.protobuf:protobuf-javaliteMaven
< 3.25.53.25.5
com.google.protobuf:protobuf-kotlinMaven
< 3.25.53.25.5
com.google.protobuf:protobuf-kotlin-liteMaven
< 3.25.53.25.5
google-protobufRubyGems
< 3.25.53.25.5
google-protobufRubyGems
>= 4.0.0.rc.1, < 4.27.54.27.5
google-protobufRubyGems
>= 4.28.0.rc.1, < 4.28.24.28.2
com.google.protobuf:protobuf-kotlin-liteMaven
>= 4.0.0-RC1, < 4.27.54.27.5
com.google.protobuf:protobuf-kotlin-liteMaven
>= 4.28.0-RC1, < 4.28.24.28.2
com.google.protobuf:protobuf-kotlinMaven
>= 4.0.0-RC1, < 4.27.54.27.5
com.google.protobuf:protobuf-kotlinMaven
>= 4.28.0-RC1, < 4.28.24.28.2
com.google.protobuf:protobuf-javaliteMaven
>= 4.0.0-RC1, < 4.27.54.27.5
com.google.protobuf:protobuf-javaliteMaven
>= 4.28.0-RC1, < 4.28.24.28.2
com.google.protobuf:protobuf-javaMaven
>= 4.0.0-RC1, < 4.27.54.27.5
com.google.protobuf:protobuf-javaMaven
>= 4.28.0-RC1, < 4.28.24.28.2

Affected products

392

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.