Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.google.protobuf/protobuf-javalite@3.24.0
Typemaven
Namespacecom.google.protobuf
Nameprotobuf-javalite
Version3.24.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.25.5
Latest_non_vulnerable_version4.28.2
Affected_by_vulnerabilities
0
url VCID-4rvj-nz7h-m7ek
vulnerability_id VCID-4rvj-nz7h-m7ek
summary 
protobuf-java has potential Denial of Service issue
### Summary
When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

### Severity
[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

### Proof of Concept
For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.

### Remediation and Mitigation
We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:
* protobuf-java (3.25.5, 4.27.5, 4.28.2)
* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7254.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-7254.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-7254
reference_id
reference_type
scores
0
value 0.00077
scoring_system epss
scoring_elements 0.22905
published_at 2026-04-08T12:55:00Z
1
value 0.00077
scoring_system epss
scoring_elements 0.22832
published_at 2026-04-07T12:55:00Z
2
value 0.00077
scoring_system epss
scoring_elements 0.22997
published_at 2026-04-02T12:55:00Z
3
value 0.00077
scoring_system epss
scoring_elements 0.2304
published_at 2026-04-04T12:55:00Z
4
value 0.00085
scoring_system epss
scoring_elements 0.24604
published_at 2026-04-13T12:55:00Z
5
value 0.00085
scoring_system epss
scoring_elements 0.24686
published_at 2026-04-09T12:55:00Z
6
value 0.00085
scoring_system epss
scoring_elements 0.24526
published_at 2026-04-24T12:55:00Z
7
value 0.00085
scoring_system epss
scoring_elements 0.24583
published_at 2026-04-21T12:55:00Z
8
value 0.00085
scoring_system epss
scoring_elements 0.24606
published_at 2026-04-18T12:55:00Z
9
value 0.00085
scoring_system epss
scoring_elements 0.24617
published_at 2026-04-16T12:55:00Z
10
value 0.00085
scoring_system epss
scoring_elements 0.24661
published_at 2026-04-12T12:55:00Z
11
value 0.00085
scoring_system epss
scoring_elements 0.24701
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-7254
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/protocolbuffers/protobuf
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf
5
reference_url https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b
6
reference_url https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
7
reference_url https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534
8
reference_url https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46
9
reference_url https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-19T14:29:43Z/
url https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
10
reference_url https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3
11
reference_url https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-7254
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-7254
14
reference_url https://security.netapp.com/advisory/ntap-20241213-0010
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241213-0010
15
reference_url https://security.netapp.com/advisory/ntap-20250418-0006
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250418-0006
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082381
reference_id 1082381
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082381
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2313454
reference_id 2313454
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2313454
18
reference_url https://github.com/advisories/GHSA-735f-pc8j-v9w8
reference_id GHSA-735f-pc8j-v9w8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-735f-pc8j-v9w8
19
reference_url https://access.redhat.com/errata/RHSA-2024:10700
reference_id RHSA-2024:10700
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10700
20
reference_url https://access.redhat.com/errata/RHSA-2024:11255
reference_id RHSA-2024:11255
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11255
21
reference_url https://access.redhat.com/errata/RHSA-2024:11256
reference_id RHSA-2024:11256
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11256
22
reference_url https://access.redhat.com/errata/RHSA-2024:7670
reference_id RHSA-2024:7670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7670
23
reference_url https://access.redhat.com/errata/RHSA-2024:7676
reference_id RHSA-2024:7676
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7676
24
reference_url https://access.redhat.com/errata/RHSA-2024:7972
reference_id RHSA-2024:7972
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7972
25
reference_url https://access.redhat.com/errata/RHSA-2024:8064
reference_id RHSA-2024:8064
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8064
26
reference_url https://access.redhat.com/errata/RHSA-2025:20052
reference_id RHSA-2025:20052
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20052
27
reference_url https://access.redhat.com/errata/RHSA-2025:20057
reference_id RHSA-2025:20057
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20057
28
reference_url https://usn.ubuntu.com/7435-1/
reference_id USN-7435-1
reference_type
scores
url https://usn.ubuntu.com/7435-1/
29
reference_url https://usn.ubuntu.com/7629-1/
reference_id USN-7629-1
reference_type
scores
url https://usn.ubuntu.com/7629-1/
30
reference_url https://usn.ubuntu.com/7629-2/
reference_id USN-7629-2
reference_type
scores
url https://usn.ubuntu.com/7629-2/
fixed_packages
0
url pkg:maven/com.google.protobuf/protobuf-javalite@3.25.5
purl pkg:maven/com.google.protobuf/protobuf-javalite@3.25.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.google.protobuf/protobuf-javalite@3.25.5
1
url pkg:maven/com.google.protobuf/protobuf-javalite@4.27.5
purl pkg:maven/com.google.protobuf/protobuf-javalite@4.27.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.google.protobuf/protobuf-javalite@4.27.5
2
url pkg:maven/com.google.protobuf/protobuf-javalite@4.28.2
purl pkg:maven/com.google.protobuf/protobuf-javalite@4.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.google.protobuf/protobuf-javalite@4.28.2
aliases CVE-2024-7254, GHSA-735f-pc8j-v9w8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4rvj-nz7h-m7ek
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.google.protobuf/protobuf-javalite@3.24.0