View all vulnerabilities

CVE-2024-24786

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Versions
google.golang.org/protobuf < 1.33.0; google.golang.org/protobuf/encoding/protojson < 1.33.0; google.golang.org/protobuf/internal/encoding/json < 1.33.0
Severity
High
Ecosystem
GO
Publish Date
March 5, 2024
Modified Date
November 7, 2024