protobufjs, Denial of Service (DoS) via Uncontrolled Recursion, CVE-2024-7254 (Medium)

Listen to this Post

The protobufjs decoder fails to impose a depth limit when recursively parsing nested Protocol Buffers messages. This flaw affects two critical code paths: the parser’s logic for skipping unknown group fields and the generated code for decoding nested message fields. When processing a maliciously crafted binary payload with an extremely deep nesting structure, the decoder’s recursive functions keep calling themselves without any depth check. Each recursion consumes a portion of the JavaScript call stack. By engineering a message with thousands of nested levels, an attacker can exhaust all available stack space long before the parsing operation completes. The JavaScript engine then throws a “RangeError: Maximum call stack size exceeded” or a similar stack‑overflow error, abruptly terminating the application. No recursion limit is enforced on the input, so even a single, carefully crafted payload can reliably crash the process. The vulnerability is triggered solely by the binary data; no special environment or user interaction is required beyond the ability to feed that data to a vulnerable protobufjs instance.

DailyCVE form:

Platform: Node.js / npm
Version: ≤6.11.2, ≤7.5.4
Vulnerability : Stack overflow
Severity: Medium
date: 2024‑09‑19

Prediction: Late Sep 2024

Analytics under heading What Undercode Say:

Count nested groups in a malicious payload
$ strings payload.bin | grep -c "^end$"
Monitor stack usage while decoding
$ node --stack-trace-limit=10000 decode.js
Log recursion depth
$ protobufjs decode --trace-deep 2>&1 | grep "Recursing"

Exploit:

An attacker crafts a protobuf binary message containing a message field that recursively includes itself. The attacker repeats this nesting hundreds or thousands of times. When the victim’s protobufjs decoder processes this payload, it enters an unbounded recursion, consuming all available JavaScript stack space and crashing the application. No special privileges or additional attack vectors are needed.

Protection from this CVE

Upgrade to protobufjs version 6.11.3 or 7.5.5 where a maximum recursion depth (default 100) is enforced. Until an upgrade is possible, reject any protobuf input that contains more than 100 levels of nesting at the application boundary. Alternatively, isolate the protobuf decoding logic inside a separate process that can be safely restarted.

Impact

A remote attacker can send a single, specially crafted protobuf binary message to any application that uses an affected protobufjs version to decode untrusted input. Successful exploitation immediately crashes the Node.js process, leading to a denial of service (DoS). The attack requires no prior access, can be executed by any external party who can deliver the malicious payload, and typically results in full application unavailability until manual restart.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top