Listen to this Post
How the CVE Works
The vulnerability in protobuf-python arises when parsing untrusted Protocol Buffers data containing deeply nested recursive groups or messages. The pure-Python implementation fails to handle excessive recursion, leading to a stack overflow and crash. Attackers can craft malicious payloads with recursive structures (e.g., `SGROUP` tags) to trigger unbounded recursion, exhausting system resources and causing a denial of service. This affects environments where `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` is set or where the default pure-Python backend is used.
DailyCVE Form
Platform: protobuf-python
Version: <4.25.8, 5.26.0rc1-5.29.5, 6.30.0rc1-6.31.1
Vulnerability: DoS via recursion
Severity: High
Date: Jun 16, 2025
Prediction: Patch by Jun 30, 2025
What Undercode Say
Check protobuf version python -c "import google.protobuf; print(google.protobuf.<strong>version</strong>)" Mitigation command export PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=cpp
How Exploit
Craft malicious `.proto` with recursive structures:
message Exploit {
required Exploit recursive = 1;
}
Protection from this CVE
- Update to 4.25.8, 5.29.5, or 6.31.1
- Use CPython backend (
PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=cpp)
Impact
- Service crashes
- Resource exhaustion
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
