Login Sign Up

CVE-2024-7254

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause a stack overflow by sending malicious Protocol Buffers data with deeply nested groups, potentially crashing applications. It affects any system using Google Protocol Buffers libraries to parse untrusted data. The impact is denial of service through application crashes.

💻 Affected Systems

Products:
  • Google Protocol Buffers (protobuf)
  • Any software using protobuf libraries
Versions: Protocol Buffers versions before the fix commit cc8b3483a5584b3301e3d43d17eb59704857ffaa
Operating Systems: All operating systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when using DiscardUnknownFieldsParser, Java Protobuf Lite parser, or parsing against Protobuf map fields with untrusted data.

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Bluexp by Netapp

View all CVEs affecting Bluexp →

Ontap Tools by Netapp

View all CVEs affecting Ontap Tools →

Protobuf by Google

View all CVEs affecting Protobuf →

Protobuf by Google

View all CVEs affecting Protobuf →

Protobuf by Google

View all CVEs affecting Protobuf →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Java by Google

View all CVEs affecting Protobuf Java →

Protobuf Javalite by Google

View all CVEs affecting Protobuf Javalite →

Protobuf Javalite by Google

View all CVEs affecting Protobuf Javalite →

Protobuf Javalite by Google

View all CVEs affecting Protobuf Javalite →

Protobuf Kotlin by Google

View all CVEs affecting Protobuf Kotlin →

Protobuf Kotlin by Google

View all CVEs affecting Protobuf Kotlin →

Protobuf Kotlin by Google

View all CVEs affecting Protobuf Kotlin →

Protobuf Kotlin Lite by Google

View all CVEs affecting Protobuf Kotlin Lite →

Protobuf Kotlin Lite by Google

View all CVEs affecting Protobuf Kotlin Lite →

Protobuf Kotlin Lite by Google

View all CVEs affecting Protobuf Kotlin Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially affecting availability of critical services.

🟠

Likely Case

Application crashes or becomes unresponsive when processing malicious Protocol Buffers data, causing service disruption.

🟢

If Mitigated

Limited impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - Any service accepting Protocol Buffers data from untrusted sources is vulnerable to DoS attacks.
🏢 Internal Only: MEDIUM - Internal services processing Protocol Buffers data could be affected, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted Protocol Buffers data to vulnerable parsers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Protocol Buffers with commit cc8b3483a5584b3301e3d43d17eb59704857ffaa or later

Vendor Advisory: https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

Restart Required: Yes

Instructions:

1. Update Protocol Buffers library to version containing fix commit cc8b3483a5584b3301e3d43d17eb59704857ffaa
2. Rebuild and redeploy applications using the library
3. Restart affected services

🔧 Temporary Workarounds

Input validation and limits

all

Implement depth limits and validation for Protocol Buffers parsing

Network filtering

all

Block or limit Protocol Buffers traffic from untrusted sources

🧯 If You Can't Patch

  • Implement strict input validation to reject deeply nested Protocol Buffers structures
  • Deploy rate limiting and monitoring for Protocol Buffers parsing operations

🔍 How to Verify

Check if Vulnerable:

Check Protocol Buffers library version and verify if it contains commit cc8b3483a5584b3301e3d43d17eb59704857ffaa

Check Version:

Check build/version information of Protocol Buffers library in your application

Verify Fix Applied:

Verify the library version includes the fix commit and test with sample nested Protocol Buffers data

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or stack overflow errors
  • High memory/CPU usage during Protocol Buffers parsing

Network Indicators:

  • Unusually large or complex Protocol Buffers messages
  • Repeated Protocol Buffers requests causing service degradation

SIEM Query:

search for 'stack overflow', 'protobuf', 'parsing error' in application logs

📊 Metadata

CVE ID: CVE-2024-7254
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: September 19, 2024
Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7254, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)