CVE-2024-7254

Stack overflow in Protocol Buffers Java Lite

Description

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

INFO

Published Date :

2024-09-19T00:18:45.824Z

Last Modified :

2025-09-08T09:37:53.702Z

Source :

Google

AFFECTED PRODUCTS

The following products are affected by CVE-2024-7254 vulnerability.

Vendors	Products
Google	Google-protobuf Protobuf Protobuf-java Protobuf-javalite Protobuf-kotlin Protobuf-kotlin-lite
Netapp	Active Iq Unified Manager Bluexp Ontap Tools
Redhat	Amq Streams Apache Camel Spring Boot Camel Quarkus Jboss Enterprise Application Platform Quarkus Trusted Profile Analyzer

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7254.

URL	Resource
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
https://nvd.nist.gov/vuln/detail/CVE-2024-7254
https://security.netapp.com/advisory/ntap-20241213-0010/
https://security.netapp.com/advisory/ntap-20250418-0006/
https://www.cve.org/CVERecord?id=CVE-2024-7254