Medium severity5.9OSV Advisory· Published Jul 5, 2025· Updated Apr 15, 2026
CVE-2025-53605
CVE-2025-53605
Description
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufcrates.io | < 3.7.2 | 3.7.2 |
Affected products
17- Range: v1.0.24, v1.2.0, v1.2.1, …
- osv-coords16 versionspkg:apk/chainguard/parseablepkg:apk/chainguard/qdrantpkg:apk/chainguard/rust-analyzerpkg:apk/chainguard/yara-xpkg:apk/chainguard/yara-x-compatpkg:apk/chainguard/ztunnel-1.24pkg:apk/chainguard/ztunnel-1.25pkg:apk/chainguard/ztunnel-fips-1.25pkg:apk/wolfi/parseablepkg:apk/wolfi/qdrantpkg:apk/wolfi/rust-analyzerpkg:apk/wolfi/yara-xpkg:apk/wolfi/yara-x-compatpkg:apk/wolfi/ztunnel-1.24pkg:apk/wolfi/ztunnel-1.25pkg:cargo/protobuf
< 2.5.5-r0+ 15 more
- (no CPE)range: < 2.5.5-r0
- (no CPE)range: < 1.18.0-r0
- (no CPE)range: < 20260427-r0
- (no CPE)range: < 0.13.0-r2
- (no CPE)range: < 0.13.0-r2
- (no CPE)range: < 1.24.6-r4
- (no CPE)range: < 1.25.5-r2
- (no CPE)range: < 1.25.5-r2
- (no CPE)range: < 2.5.5-r0
- (no CPE)range: < 1.18.0-r0
- (no CPE)range: < 20260427-r0
- (no CPE)range: < 0.13.0-r2
- (no CPE)range: < 0.13.0-r2
- (no CPE)range: < 1.24.6-r4
- (no CPE)range: < 1.25.5-r2
- (no CPE)range: < 3.7.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-2gh3-rmm4-6rq5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53605ghsaADVISORY
- github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6ghsaWEB
- github.com/stepancheg/rust-protobuf/issues/749nvdWEB
- rustsec.org/advisories/RUSTSEC-2024-0437.htmlghsaWEB
- crates.io/crates/protobufnvd
- rustsec.org/advisories/RUSTSEC-2024-0437nvd
News mentions
0No linked articles in our index yet.