CVE-2025-53605 — Uncontrolled Recursion in Protobuf

CWE-674 — Uncontrolled Recursion CWE-20 — Improper Input Validation CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 86.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Stepancheg Protobuf Google Protobuf Debian Rust-protobuf +12 more

Timeline

PublishedJul 5

Latest updateJul 8

Description

The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages15 packages

▶debiandebian/rust-protobuf< rust-protobuf 3.7.2-1 (forky)

▶crates.iogoogle/protobuf0.0.0-0 — 3.7.2+1

▶CVEListV5stepancheg/protobuf< 3.7.2

▶msrcmsrc/azl3_rust_1.86.0-4_on_azure_linux_3.0

▶msrcmsrc/azl3_rust_1.75.0-17_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2025-53605: The protobuf crate before 3↗2025-07-05

▶

GHSA

Crash due to uncontrolled recursion in protobuf crate↗2025-03-07

▶

OSV

Crash due to uncontrolled recursion in protobuf crate↗2025-03-07

▶

OSV

Crash due to uncontrolled recursion in protobuf crate↗2024-12-12

▶

📋Vendor Advisories

Microsoft

The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.↗2025-07-08

▶

Red Hat

protobuf: Protobuf: Uncontrolled Recursion Vulnerability↗2025-07-05

▶

Debian

CVE-2025-53605: rust-protobuf - The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the pr...↗2025

▶