Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN076
_____________________________________________________________________

DATE                : 26/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running protobuf (pip) versions prior
                              to 4.25.8, 5.29.5, 6.31.1.

=====================================================================
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
_____________________________________________________________________


A potential Denial of Service issue in protobuf-python
High
zhangskz published GHSA-8qvm-5x2c-j2w7 Jun 16, 2025

Package
protobuf (pip)

Affected versions
<4.25.8, <5.29.5, <6.31.1

Patched versions
4.25.8, 5.29.5, 6.31.1


Description

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted 
Protocol Buffers data containing an arbitrary number of recursive 
groups, recursive messages or a series of SGROUP tags can be corrupted 
by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
ecosystem@trailofbits.com

Affected versions: This issue only affects the pure-Python 
implementation of protobuf-python backend. This is the implementation 
when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment 
variable is set or the default when protobuf is used from Bazel or 
pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by 
default.

This is a Python variant of a previous issue affecting protobuf-java.


Severity

CVE-2025-4565 High CVSS4.0 Score 8.2 (NOTE: there may be a delay in 
publication)
This is a potential Denial of Service. Parsing nested protobuf data 
creates unbounded recursions that can be abused by an attacker.
Proof of Concept

For reproduction details, please refer to the unit tests 
decoder_test.py and message_test
Remediation and Mitigation

We have been working diligently to address this issue and have 
released a mitigation that is available now. Please update to the 
latest available versions of the following packages:

    protobuf-python(4.25.8, 5.29.5, 6.31.1)


Severity
High

CVE ID
CVE-2025-4565

Weaknesses
No CWEs


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================