Anthropic's Buffa Rust Library Suffers Zero-Day DoS Vulnerability
A zero-day denial-of-service vulnerability in Anthropic's buffa Rust library, affecting versions prior to 0.8.0, allows attackers to trigger unbounded heap allocations and crash processes.

A critical zero-day denial-of-service (DoS) vulnerability has been discovered in Anthropic's buffa Rust library, a component used for handling protobuf messages. The flaw, now designated CVE-2026-55407 and GHSA-f9qc-qg88-7pq5, impacts buffa and connectrpc versions earlier than 0.8.0. While assigned a CVSS 4.0 score of 6.3 (Moderate), its real-world impact could escalate to High or Critical depending on the specific deployment architecture and its memory constraints.
The vulnerability was brought to light by Endor Labs' AI SAST engine during an analysis of buffa's codebase. The engine identified a suspicious data flow within the unknown-field decoder. Specifically, the decode_unknown_field function parses a length value directly from untrusted protobuf wire data. This length is then converted to a usize and used to allocate a Vec<u8> without any explicit upper bound, beyond the inherent limits of the data type itself. Although a guard prevents out-of-bounds reads, it does not limit the size of the heap allocation, enabling attackers to force substantial memory allocations by submitting oversized length-delimited fields.
Initial analysis suggested a modest amplification factor, where input size roughly doubled heap usage, which might be manageable with strict input caps. However, a deeper dive into the handling of WireType::StartGroup revealed a far more potent amplification vector. In this code path, the decoder enters a loop, processing nested unknown fields until it encounters a matching EndGroup tag. Each decoded field is added to an UnknownFields structure. The vulnerability lies in the fact that even the smallest nested field on the wire can be encoded using just two bytes, yet each can result in an approximate 40-byte heap allocation, plus overhead from vector growth. This allows a carefully crafted group to expand a relatively small input into an enormous in-memory data structure.
Endor Labs' proof-of-concept demonstrated the severity of this amplification. By crafting a 64 MiB protobuf payload containing millions of minimal varint fields within a single unknown group, they were able to drive heap usage to approximately 1.4 GiB – a 22-fold increase over the input size. When this malicious payload was decoded within a Docker container with a limited 256 MiB memory allocation, the process was terminated with exit code 137, confirming a successful out-of-memory DoS attack.
The vulnerability is particularly concerning because the affected code path is accessible through buffa's default decoding APIs, such as Message::decode and decode_from_slice. This means any service that decodes untrusted protobuf messages with the preserve_unknown_fields option enabled – which is the default setting – is potentially exposed to this DoS attack.
Anthropic has addressed the issue by releasing version 0.8.0 of buffa and connectrpc. The fix introduces a configurable per-message limit on unknown fields, effectively capping the maximum allocation overhead to tens of megabytes, even when subjected to malicious input. For organizations unable to upgrade immediately, an alternative mitigation involves regenerating code with preserve_unknown_fields=false. This setting disables the retention of unknown fields, thereby removing the vulnerable code path from the data processing pipeline.
This discovery underscores the limitations of relying solely on input-size caps for security, as the group amplification mechanism can transform seemingly safe message sizes into process-terminating allocations. The case is also notable for its detection by an AI-driven SAST engine, which successfully identified a complex, logic-level DoS vulnerability in a memory-safe language like Rust by tracing untrusted data flow to a heap allocation sink. The coordinated disclosure between Endor Labs and Anthropic highlights the critical need for data-flow-aware analysis, even in languages designed for safety, especially for high-assurance components used in sensitive applications like frontier AI systems.