CVE-2024-7254 — Uncontrolled Resource Consumption in Google Google-protobuf

CWE-400 — Uncontrolled Resource Consumption CWE-674 — Uncontrolled Recursion CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation CWE-770 — Allocation of Resources Without Limits or Throttling19 documents9 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 75.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Google-protobuf Google Protobuf-java Google Protobuf-javalite +6 more

Timeline

PublishedSep 19

Latest updateOct 15

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages14 packages

▶CVEListV5google/protobuf-javalite< 4.27.5+2

▶NVDgoogle/protobuf-javalite4.0.0 — 4.27.5+2

▶CVEListV5google/protobuf-java< 4.27.5+2

▶NVDgoogle/protobuf-java4.0.0 — 4.27.5+2

▶NVDgoogle/protobuf-kotlin-lite4.0.0 — 4.27.5+2

Also affects: Ontap Tools 10

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

protobuf vulnerabilities↗2025-09-02

▶

OSV

protobuf vulnerabilities↗2025-07-09

▶

GHSA

protobuf-java has potential Denial of Service issue↗2024-09-19

▶

OSV

protobuf-java has potential Denial of Service issue↗2024-09-19

▶

CVEList

Stack overflow in Protocol Buffers Java Lite↗2024-09-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Installation (Google Protobuf-Java) — CVE-2024-7254↗2025-10-15

▶

Ubuntu

Protocol Buffers vulnerabilities↗2025-09-02

▶

Oracle

Oracle Oracle Communications Risk Matrix: Automated Test Suite (Google Protobuf-Java) — CVE-2024-7254↗2025-07-15

▶

Ubuntu

Protocol Buffers vulnerabilities↗2025-07-09

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Security (Google Protobuf-Java) — CVE-2024-7254↗2025-04-15

▶