Update module google.golang.org/protobuf to v1.33.0 [SECURITY]
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
google.golang.org/protobuf | require | minor |
v1.32.0 -> v1.33.0
|
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
More information
Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
protocolbuffers/protobuf-go (google.golang.org/protobuf)
v1.33.0
This release contains one security fix:
-
encoding/protojson
:Unmarshal
could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains agoogle.protobuf.Any
value, or when theUnmarshalOptions.DiscardUnknown
option is set.Unmarshal
now correctly returns an error when handling these inputs. This is CVE-2024-24786.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.