{"url":"http://public2.vulnerablecode.io/api/packages/73583?format=json","purl":"pkg:pypi/protobuf@6.30.0rc1","type":"pypi","namespace":"","name":"protobuf","version":"6.30.0rc1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.33.5","latest_non_vulnerable_version":"6.33.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49823?format=json","vulnerability_id":"VCID-u1c9-xd6h-8fgc","summary":"protobuf affected by a JSON recursion depth bypass\nA denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.","references":[{"reference_url":"https://github.com/protocolbuffers/protobuf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/protocolbuffers/protobuf"},{"reference_url":"https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf"},{"reference_url":"https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b"},{"reference_url":"https://github.com/protocolbuffers/protobuf/issues/25070","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/protocolbuffers/protobuf/issues/25070"},{"reference_url":"https://github.com/protocolbuffers/protobuf/pull/25239","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/protocolbuffers/protobuf/pull/25239"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0994","reference_id":"CVE-2026-0994","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0994"},{"reference_url":"https://github.com/advisories/GHSA-7gcm-g887-7qv7","reference_id":"GHSA-7gcm-g887-7qv7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7gcm-g887-7qv7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73584?format=json","purl":"pkg:pypi/protobuf@6.33.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@6.33.5"}],"aliases":["CVE-2026-0994","GHSA-7gcm-g887-7qv7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u1c9-xd6h-8fgc"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/protobuf@6.30.0rc1"}