[security] Vulnerability in google.golang.org/protobuf

1,162 views
Skip to first unread message

Damien Neil

unread,
Mar 5, 2024, 3:05:40 PMMar 5
to golang-...@googlegroups.com
Hello gophers,

Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs. This condition could only occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown option is set. Unmarshal now correctly returns an error when handling these inputs.

This is CVE-2024-24786.

- Damien, on behalf of the Go team.

Damien Neil

unread,
Mar 8, 2024, 11:58:34 AMMar 8
to golang-...@googlegroups.com
On Tue, Mar 5, 2024 at 11:19 AM Damien Neil <dn...@google.com> wrote:
Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs. This condition could only occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown option is set. Unmarshal now correctly returns an error when handling these inputs.

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown option is set (as well as when unmarshaling into any message which contains a google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently introduced an incompatibility with the older github.com/golang/protobuf module. (https://github.com/golang/protobuf/issues/1596) Users of the older module should update to github.com/golang/prot...@v1.5.4.

- Damien, apologetically on behalf of the Go team. 
Reply all
Reply to author
Forward
0 new messages