HIGH · CVSS 7.5
CVE-2024-7254 — Protocol Buffers StackOverflow DoS
Any protobuf-based RPC or serialization could be forced into deep recursion via crafted input, triggering a StackOverflowError and killing the JVM.
Affects
- protobuf-java < 3.25.5 / 4.27.5 / 4.28.2
What an attacker does
An attacker sends a protobuf message with deeply-nested fields to any endpoint parsing protobuf. The Java protobuf library recurses during deserialization; the stack overflows; the service dies.
How to detect
Java dependency graph — protobuf-java is pulled by gRPC and many other libs.
How to fix
Upgrade protobuf-java.
How Securie catches it
Securie's Java scanner flags vulnerable protobuf-java + gRPC endpoints.