VulnerableCode Package Details - pkg:pypi/protobuf@6.30.0rc1

Search for packages

Vulnerability	Summary	Fixed by
VCID-cg4f-vq8p-dub3 Aliases: CVE-2026-0994 GHSA-7gcm-g887-7qv7	protobuf affected by a JSON recursion depth bypass A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.	6.33.5 Affected by 0 other vulnerabilities. 7.34.0rc1 Affected by 0 other vulnerabilities.
VCID-hwx9-7pf9-ryce Aliases: CVE-2025-4565 GHSA-8qvm-5x2c-j2w7	protobuf-python has a potential Denial of Service issue ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8). ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478) ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)	6.31.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-cg4f-vq8p-dub3
Aliases:
CVE-2026-0994
GHSA-7gcm-g887-7qv7

protobuf affected by a JSON recursion depth bypass A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

6.33.5
Affected by 0 other vulnerabilities.

7.34.0rc1
Affected by 0 other vulnerabilities.

VCID-hwx9-7pf9-ryce
Aliases:
CVE-2025-4565
GHSA-8qvm-5x2c-j2w7

protobuf-python has a potential Denial of Service issue ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8). ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478) ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)

6.31.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:12:00.040965+00:00	GitLab Importer	Affected by	VCID-cg4f-vq8p-dub3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2026-0994.yml	38.4.0
2026-04-16T23:31:13.915019+00:00	GitLab Importer	Affected by	VCID-hwx9-7pf9-ryce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2025-4565.yml	38.4.0
2026-04-12T01:35:47.544444+00:00	GitLab Importer	Affected by	VCID-cg4f-vq8p-dub3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2026-0994.yml	38.3.0
2026-04-12T00:51:01.227408+00:00	GitLab Importer	Affected by	VCID-hwx9-7pf9-ryce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2025-4565.yml	38.3.0
2026-04-07T04:58:04.766590+00:00	GHSA Importer	Affected by	VCID-hwx9-7pf9-ryce	https://github.com/advisories/GHSA-8qvm-5x2c-j2w7	38.1.0
2026-04-03T01:44:48.472682+00:00	GitLab Importer	Affected by	VCID-cg4f-vq8p-dub3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2026-0994.yml	38.1.0
2026-04-03T00:59:05.332401+00:00	GitLab Importer	Affected by	VCID-hwx9-7pf9-ryce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2025-4565.yml	38.1.0
2026-04-02T12:41:35.900371+00:00	GitLab Importer	Affected by	VCID-hwx9-7pf9-ryce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2025-4565.yml	38.0.0
2026-04-01T16:07:49.266935+00:00	GHSA Importer	Affected by	VCID-cg4f-vq8p-dub3	https://github.com/advisories/GHSA-7gcm-g887-7qv7	38.0.0
2026-04-01T12:53:43.517389+00:00	GitLab Importer	Affected by	VCID-cg4f-vq8p-dub3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/protobuf/CVE-2026-0994.yml	38.0.0