Vulnerability

CVE-2024-24786

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835

References

https://pkg.go.dev/vuln/GO-2024-2611
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24786

[CVE-2024-24786] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Description

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

See google.golang.org/protobuf package information