Search for packages
| purl | pkg:pypi/protobuf@2.0.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-cg4f-vq8p-dub3
Aliases: CVE-2026-0994 GHSA-7gcm-g887-7qv7 |
protobuf affected by a JSON recursion depth bypass A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fsjg-27y3-ykfe
Aliases: CVE-2015-5237 GHSA-jwvw-v7c5-m82h PYSEC-2017-65 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
Affected by 4 other vulnerabilities. |
|
VCID-hwx9-7pf9-ryce
Aliases: CVE-2025-4565 GHSA-8qvm-5x2c-j2w7 |
protobuf-python has a potential Denial of Service issue ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8). ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478) ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1) |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-r3jf-wsh1-f3gb
Aliases: CVE-2022-1941 GHSA-8gq9-2x98-w8hf |
A vulnerability has been discovered in protobuf and protobuf-python, which can lead to a denial of service. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-uc1w-7er3-x7gb
Aliases: CVE-2021-22570 GHSA-77rm-9x9h-xj3g PYSEC-2022-48 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||