The binary format has a default recursion depth of 10,000. And that depth is configurable via proto.UnmarshalOptions. But the protojson package has no such limit. So if a schema allows arbitrary depth (such as using a recursive/hierarchical type, mutually recursive types, or open-ended JSON types such as google.protobuf.Value), an attacker can easily trigger a stack overflow, which results in a process crashing. Since a stack overflow is a fatal error, not a panic, it cannot be handled via recover, which. makes this a serious DOS issue.
The binary format has a default recursion depth of 10,000. And that depth is configurable via
proto.UnmarshalOptions
. But theprotojson
package has no such limit. So if a schema allows arbitrary depth (such as using a recursive/hierarchical type, mutually recursive types, or open-ended JSON types such asgoogle.protobuf.Value
), an attacker can easily trigger a stack overflow, which results in a process crashing. Since a stack overflow is a fatal error, not a panic, it cannot be handled viarecover
, which. makes this a serious DOS issue.