34selen

[PHP] mergeFromString() allows negative length varints, infinite loop / worker exhaustion DoS

3

## Summary The PHP Protobuf runtime (php/src/Google/Protobuf/Internal/*) accepts a crafted length-delimited field whose declared length varint becomes a negative integer after sign extension. That negative length is passed directly into...

## Summary (CWE-1321 Prototype Pollution) convict(schema) becomes globally polluted when the schema object contains a constructor.prototype.* path. During schema normalization/default propagation, the code walks into built-in properties and ends up...

The recursion limit does not function correctly, allowing arbitrarily deep nested messages and resulting in a denial-of-service (DoS).

1

1. Summary PHP Protobuf CodedInputStream’s recursion-limit handling is wrong, so the default depth limit of 100 is not applied; it will parse arbitrarily deep nested messages, allowing stack/CPU exhaustion DoS....

Any JSON recursion depth bypass in Python json_format.ParseDict

2

# 1. Summary --- A denial-of-service (DoS) vulnerability exists in **`google.protobuf.json_format.ParseDict()`** in Python, where the **`max_recursion_depth` limit can be bypassed when parsing nested `google.protobuf.Any` messages**. Due to missing recursion depth...

Protobuf Java JsonFormat Any Nesting Bypasses Recursion Limit Leading to Stack Exhaustion (DoS)

5

## 1. Summary --- A denial-of-service (DoS) via stack exhaustion is possible in **Java `com.google.protobuf.util.JsonFormat`** when parsing **deeply nested `Any`** messages, because the configured **`recursionLimit` is not enforced** along the...