CGA-2vgr-6mqh-4r48
Infinite Loop vulnerability in protobuf (Go)
What is CGA-2vgr-6mqh-4r48 About?
This vulnerability allows the `protojson.Unmarshal` function to enter an infinite loop when processing specific forms of invalid JSON. This condition leads to a denial of service. Exploitation happens when unmarshaling into a message with a `google.protobuf.Any` value or with the `UnmarshalOptions.DiscardUnknown` option set.
Affected Software
- google.golang.org/protobuf
- <1.33.0
- google.golang.org/protobuf/encoding/protojson
- <1.33.0
- google.golang.org/protobuf/internal/encoding/json
- <1.33.0
Technical Details
The protojson.Unmarshal function is susceptible to an infinite loop when attempting to unmarshal certain types of invalid JSON input. This problematic condition specifically arises under two circumstances: first, when the target message for unmarshaling contains a google.protobuf.Any value; and second, when the UnmarshalOptions.DiscardUnknown option is explicitly set. In these scenarios, malformed JSON structures can lead the unmarshaling logic into a recursive or circular processing path that never terminates, consuming all available CPU resources and causing a denial of service.
What is the Impact of CGA-2vgr-6mqh-4r48?
Successful exploitation may allow attackers to cause a permanent freeze or crash of the application processing the malicious JSON, leading to a denial-of-service condition and unavailability.
What is the Exploitability of CGA-2vgr-6mqh-4r48?
Exploitation complexity is moderate, requiring the crafting of specific invalid JSON payloads. There are no explicit authentication or privilege requirements beyond the ability to submit JSON data to the protojson.Unmarshal function. This is likely a remote vulnerability if the JSON processing occurs on a server, or a local vulnerability if an application processes untrusted local JSON. The key conditions for exploitation are either the presence of a google.protobuf.Any value in the target message or the UnmarshalOptions.DiscardUnknown option being enabled. Risk factors include applications that accept and unmarshal arbitrary JSON input from untrusted sources without robust validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-2vgr-6mqh-4r48?
About the Fix from Resolved Security
This patch improves JSON decoding in Go protobufs to correctly detect and reject objects where a field name appears without an associated value (e.g., {"foo":}), preventing further processing and reporting a syntax error instead. This fixes CVE-2024-24786 by ensuring attackers cannot exploit this parsing ambiguity to bypass input validation or inject malicious input, which could otherwise lead to security or correctness issues.
Available Upgrade Options
- google.golang.org/protobuf/internal/encoding/json
- <1.33.0 → Upgrade to 1.33.0
- google.golang.org/protobuf
- <1.33.0 → Upgrade to 1.33.0
- google.golang.org/protobuf/encoding/protojson
- <1.33.0 → Upgrade to 1.33.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
- https://osv.dev/vulnerability/GO-2024-2611
- https://security.netapp.com/advisory/ntap-20240517-0002
- http://www.openwall.com/lists/oss-security/2024/03/08/4
- http://www.openwall.com/lists/oss-security/2024/03/08/4
- https://go.dev/cl/569356
- https://security.netapp.com/advisory/ntap-20240517-0002/
- https://go.dev/cl/569356
- https://pkg.go.dev/vuln/GO-2024-2611
What are Similar Vulnerabilities to CGA-2vgr-6mqh-4r48?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-21703 , CVE-2021-4122 , CVE-2020-8012 , CVE-2019-10023
