In the package google.golang.org/protobuf versions prior to 1.33.0, the "protojson.Unmarshal" function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a "google.protobuf.Any" value, or when the "UnmarshalOptions.DiscardUnknown" option is set.
HIGH Vulnerable Package issue exists @ google.golang.org/protobuf in branch master
Description
In the package google.golang.org/protobuf versions prior to 1.33.0, the "protojson.Unmarshal" function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a "google.protobuf.Any" value, or when the "UnmarshalOptions.DiscardUnknown" option is set.
HIGH Vulnerable Package issue exists @ google.golang.org/protobuf in branch master
Vulnerability ID: CVE-2024-24786
Package Name: google.golang.org/protobuf
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2024-03-05T23:15:00
Current Package Version: v1.24.0
Remediation Upgrade Recommendation: v1.25.1-0.20210525005349-febffdd88e85
Link To SCA
Reference – NVD link