What is CVE-2024-7254?

CVE-2024-7254 is a vulnerability in Google Google-protobuf [Jruby Gem], classified under Uncontrolled Resource Consumption. Published 2024-09-19.

Is CVE-2024-7254 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Google Google-protobuf [Jruby Gem]

CVE-2024-7254

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with Dis…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (33.0th percentile) — read the EPSS interpretation.

Affected products

Google Google-protobuf [Jruby Gem] — versions 0
Google Protobuf-java — versions 0
Google Protobuf-javalite — versions 0
Google Protobuf-kotlin — versions 0
Google Protobuf-kotllin-lite — versions 0
Google Protocol Buffers — versions 0

Weakness classification (CWE)

Public proof-of-concept exploits

References

github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857…

Frequently asked questions

What is CVE-2024-7254?: CVE-2024-7254 is a vulnerability in Google Google-protobuf [Jruby Gem], classified under Uncontrolled Resource Consumption. Published 2024-09-19.
Is CVE-2024-7254 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.