Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/protobuf@5.29.5

Type pypi

Namespace

Name protobuf

Version 5.29.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.29.6

Latest_non_vulnerable_version 7.34.0rc1

Affected_by_vulnerabilities

url VCID-u1c9-xd6h-8fgc

vulnerability_id VCID-u1c9-xd6h-8fgc

summary

protobuf affected by a JSON recursion depth bypass
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0994.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0994.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-0994

reference_id

reference_type

scores

value	0.00013
scoring_system	epss
scoring_elements	0.02443
published_at	2026-06-07T12:55:00Z

value	0.00013
scoring_system	epss
scoring_elements	0.02506
published_at	2026-06-05T12:55:00Z

value	0.00013
scoring_system	epss
scoring_elements	0.02501
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-0994

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0994
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0994

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/protocolbuffers/protobuf

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf

reference_url

https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf

reference_url

https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b

reference_url

https://github.com/protocolbuffers/protobuf/issues/25070

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/issues/25070

reference_url

https://github.com/protocolbuffers/protobuf/pull/25239

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-23T15:33:48Z/

url

https://github.com/protocolbuffers/protobuf/pull/25239

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126302
reference_id	1126302
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126302

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2432398
reference_id	2432398
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2432398

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-0994

reference_id

CVE-2026-0994

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-0994

reference_url

https://github.com/advisories/GHSA-7gcm-g887-7qv7

reference_id

GHSA-7gcm-g887-7qv7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7gcm-g887-7qv7

reference_url	https://access.redhat.com/errata/RHSA-2026:16174
reference_id	RHSA-2026:16174
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16174

reference_url	https://access.redhat.com/errata/RHSA-2026:3059
reference_id	RHSA-2026:3059
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3059

reference_url	https://access.redhat.com/errata/RHSA-2026:3094
reference_id	RHSA-2026:3094
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3094

reference_url	https://access.redhat.com/errata/RHSA-2026:3095
reference_id	RHSA-2026:3095
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3095

reference_url	https://access.redhat.com/errata/RHSA-2026:3097
reference_id	RHSA-2026:3097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3097

reference_url	https://access.redhat.com/errata/RHSA-2026:3218
reference_id	RHSA-2026:3218
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3218

reference_url	https://access.redhat.com/errata/RHSA-2026:3219
reference_id	RHSA-2026:3219
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3219

reference_url	https://access.redhat.com/errata/RHSA-2026:3220
reference_id	RHSA-2026:3220
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3220

reference_url	https://access.redhat.com/errata/RHSA-2026:3461
reference_id	RHSA-2026:3461
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3461

reference_url	https://access.redhat.com/errata/RHSA-2026:3462
reference_id	RHSA-2026:3462
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3462

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3959
reference_id	RHSA-2026:3959
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3959

reference_url	https://access.redhat.com/errata/RHSA-2026:8746
reference_id	RHSA-2026:8746
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8746

reference_url	https://access.redhat.com/errata/RHSA-2026:8747
reference_id	RHSA-2026:8747
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8747

reference_url	https://access.redhat.com/errata/RHSA-2026:8748
reference_id	RHSA-2026:8748
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8748

reference_url	https://usn.ubuntu.com/8063-1/
reference_id	USN-8063-1
reference_type
scores
url	https://usn.ubuntu.com/8063-1/

reference_url	https://usn.ubuntu.com/8063-2/
reference_id	USN-8063-2
reference_type
scores
url	https://usn.ubuntu.com/8063-2/

fixed_packages

url	pkg:pypi/protobuf@5.29.6
purl	pkg:pypi/protobuf@5.29.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@5.29.6

url	pkg:pypi/protobuf@6.33.5
purl	pkg:pypi/protobuf@6.33.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@6.33.5

url	pkg:pypi/protobuf@7.34.0rc1
purl	pkg:pypi/protobuf@7.34.0rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@7.34.0rc1

aliases CVE-2026-0994, GHSA-7gcm-g887-7qv7

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u1c9-xd6h-8fgc

Fixing_vulnerabilities

url VCID-q9yb-5dsu-uuft

vulnerability_id VCID-q9yb-5dsu-uuft

summary

protobuf-python has a potential Denial of Service issue
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4565.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4565.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-4565

reference_id

reference_type

scores

value	0.00016
scoring_system	epss
scoring_elements	0.03854
published_at	2026-06-07T12:55:00Z

value	0.00016
scoring_system	epss
scoring_elements	0.03867
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-4565

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4565
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4565

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/protocolbuffers/protobuf

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf

reference_url

https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98

reference_url

https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478

reference_url

https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-16T15:38:57Z/

url

https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901

reference_url

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8

reference_url

https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108057
reference_id	1108057
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108057

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2373016
reference_id	2373016
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2373016

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-4565

reference_id

CVE-2025-4565

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-4565

reference_url	https://github.com/advisories/GHSA-8qvm-5x2c-j2w7
reference_id	GHSA-8qvm-5x2c-j2w7
reference_type
scores
url	https://github.com/advisories/GHSA-8qvm-5x2c-j2w7

reference_url

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7

reference_id

GHSA-8qvm-5x2c-j2w7

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7

reference_url	https://access.redhat.com/errata/RHSA-2025:10773
reference_id	RHSA-2025:10773
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:10773

reference_url	https://access.redhat.com/errata/RHSA-2026:1249
reference_id	RHSA-2026:1249
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1249

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://usn.ubuntu.com/7629-1/
reference_id	USN-7629-1
reference_type
scores
url	https://usn.ubuntu.com/7629-1/

reference_url	https://usn.ubuntu.com/7629-2/
reference_id	USN-7629-2
reference_type
scores
url	https://usn.ubuntu.com/7629-2/

fixed_packages

url pkg:pypi/protobuf@4.25.8

purl pkg:pypi/protobuf@4.25.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-u1c9-xd6h-8fgc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@4.25.8

url pkg:pypi/protobuf@5.29.5

purl pkg:pypi/protobuf@5.29.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-u1c9-xd6h-8fgc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@5.29.5

url pkg:pypi/protobuf@6.31.1

purl pkg:pypi/protobuf@6.31.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-u1c9-xd6h-8fgc

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@6.31.1

aliases CVE-2025-4565, GHSA-8qvm-5x2c-j2w7

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9yb-5dsu-uuft

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@5.29.5

Package Instance