HIGH · CVSS 7.5
CVE-2024-7254 — Protocol Buffers StackOverflow DoS
Any protobuf-based RPC or serialization could be forced into deep recursion via crafted input, triggering a StackOverflowError and killing the JVM.
Affects
- protobuf-java < 3.25.5 / 4.27.5 / 4.28.2
What an attacker does
An attacker sends a protobuf message with deeply-nested fields to any endpoint parsing protobuf. The Java protobuf library recurses during deserialization; the stack overflows; the service dies.
How to detect
Java dependency graph — protobuf-java is pulled by gRPC and many other libs.
How to fix
Upgrade protobuf-java.
Securie findinghigh · CVSS 7.5
CVE-2024-7254How Securie catches CVE-2024-7254
Securie's Java specialist flags vulnerable protobuf-java + gRPC endpoints.
Scan my repo for CVE-2024-7254 →Securie reviews every PR · proves real issues · opens verified fix PRs