Vulnerability Report: GO-2024-2611

CVE-2024-24786, GHSA-8r3f-844c-mc37
Affects: google.golang.org/protobuf
Published: Mar 05, 2024
Modified: May 20, 2024

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Affected Packages

Path

Go Versions

Symbols
google.golang.org/protobuf/encoding/protojson

before v1.33.0
- Unmarshal
- UnmarshalOptions.Unmarshal
google.golang.org/protobuf/internal/encoding/json

before v1.33.0
- Decoder.Peek
- Decoder.Read

Aliases

CVE-2024-24786
GHSA-8r3f-844c-mc37

References

https://go.dev/cl/569356
https://vuln.go.dev/ID/GO-2024-2611.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL