CVE-2024-7254

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Published: Sep 19, 2024
Updated: Jul 31, 2025
CVE: CVE-2024-7254
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
netapp / ontap_tools	10	10.x
google / protobuf	-	3.25.5
google / protobuf	4.0.0	4.27.5
google / protobuf	4.28.0	4.28.2
google / protobuf-java	-	3.25.5
google / protobuf-java	4.0.0	4.27.5
google / protobuf-java	4.28.0	4.28.2
google / protobuf-javalite	-	3.25.5
google / protobuf-javalite	4.0.0	4.27.5
google / protobuf-javalite	4.28.0	4.28.2
google / protobuf-kotlin	-	3.25.5
google / protobuf-kotlin	4.0.0	4.27.5
google / protobuf-kotlin	4.28.0	4.28.2
google / protobuf-kotlin-lite	-	3.25.5
google / protobuf-kotlin-lite	4.0.0	4.27.5
google / protobuf-kotlin-lite	4.28.0	4.28.2.x

Vulnerability Database

CVE-2024-7254