CVE-2024-24786

Summary

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Affected Software

VendorProductVersion RangeStatus
google.golang.org/protobufgoogle.golang.org/protobuf/encoding/protojson0 < 1.33.0affected
google.golang.org/protobufgoogle.golang.org/protobuf/internal/encoding/json0 < 1.33.0affected

Weaknesses

  • CWE-1286: Improper Validation of Syntactic Correctness of Input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References