Vulnerability Report: GO-2023-1631

CVE-2023-24535, GHSA-hw7c-3rfg-p46j
Affects: google.golang.org/protobuf
Published: Mar 14, 2023
Modified: Jun 12, 2023

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

Affected Packages

Path

Versions

Symbols
google.golang.org/protobuf/encoding/prototext

from v1.29.0 before v1.29.1
- Unmarshal
- UnmarshalOptions.Unmarshal
google.golang.org/protobuf/internal/encoding/text

from v1.29.0 before v1.29.1
- Decoder.Peek
- Decoder.Read

Aliases

CVE-2023-24535
GHSA-hw7c-3rfg-p46j

References

https://go.dev/cl/475995
https://github.com/golang/protobuf/issues/1530
https://vuln.go.dev/ID/GO-2023-1631.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL