CVE-2024-24786 in protobufinfo

Summary

by MITRE • 03/06/2024

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/15/2026

The vulnerability described in CVE-2024-24786 represents a critical denial of service flaw within the protojson unmarshaling functionality of protobuf implementations. This issue manifests when processing malformed JSON input that contains specific patterns involving google.protobuf.Any values or when the UnmarshalOptions.DiscardUnknown flag is enabled during deserialization operations. The flaw operates at the intersection of data parsing and memory management, creating a scenario where the unmarshaling process becomes trapped in an infinite loop rather than properly handling the invalid input structure.

The technical root cause of this vulnerability lies in the improper handling of recursive data structures during JSON deserialization. When the protojson.Unmarshal function encounters certain malformed JSON containing google.protobuf.Any fields, the internal parsing logic fails to properly terminate recursive processing loops that should be detected and handled gracefully. This behavior is particularly dangerous because it can be triggered by maliciously crafted input that does not conform to standard JSON specifications, allowing attackers to exploit the vulnerability through crafted payloads. The issue is further exacerbated when the DiscardUnknown option is enabled, as this configuration parameter introduces additional complexity to the unmarshaling process that can trigger the problematic code path.

From an operational perspective, this vulnerability presents a significant risk to systems that rely on protobuf-based serialization for communication protocols, particularly in microservices architectures, API gateways, and backend services that process external JSON input. The infinite loop condition effectively consumes system resources and can lead to complete service unavailability, making it a prime candidate for denial of service attacks. The vulnerability affects applications that use the protobuf library for processing external data, including web services, data processing pipelines, and any system that performs JSON-to-protobuf conversion. Attackers can exploit this weakness by submitting carefully crafted JSON payloads that trigger the recursive parsing behavior, potentially causing system crashes or resource exhaustion.

Security mitigations for this vulnerability should prioritize immediate patching of affected protobuf implementations, as the issue represents a fundamental flaw in input validation and processing. Organizations should implement strict input validation measures that filter or reject malformed JSON before it reaches the protojson unmarshaling functions. Additionally, monitoring systems should be configured to detect unusual resource consumption patterns that may indicate exploitation attempts. The vulnerability aligns with CWE-835, which covers infinite loops in software, and maps to ATT&CK technique T1499.004 for denial of service attacks. Network segmentation and rate limiting should be implemented to limit the potential impact of exploitation, while application-level firewalls can help filter suspicious JSON patterns. The recommended remediation approach includes upgrading to patched protobuf versions, implementing circuit breaker patterns around deserialization operations, and conducting thorough code reviews to identify similar patterns in custom JSON processing logic.

Reservation

01/30/2024

Disclosure

03/06/2024

Moderation

accepted

CPE

ready

EPSS

0.01262

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!