Description
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Published: 2026-01-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A vulnerability exists in the protobuf Python library’s json_format.ParseDict function, where the configured maximum recursion depth can be bypassed when parsing nested Any messages. This allows an attacker to supply deeply nested structures that evade the intended limit, causing the interpreter to exhaust its recursion stack and trigger a RecursionError. The result is a service interruption that affects the availability of any application using the vulnerable parsing routine.

Affected Systems

The issue targets the Python protobuf implementation, specifically the google.protobuf.json_format module. Any deployment that relies on the protobuf library to parse JSON payloads containing Any messages may be affected. No specific version identifiers are provided, so all versions prior to the fix in the referenced pull request are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is reported as less than 1%, indicating that while exploitation probability is low, the damage a successful attempt could cause is significant. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the flaw lies within the processing of user-supplied data, the likely attack vector is through application-level input, potentially from remote users sending crafted JSON. No additional exploit conditions are described in the available data.

Generated by OpenCVE AI on April 18, 2026 at 03:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Python protobuf package that includes the fix for PR 25239
  • Review any custom parsing code to ensure that recursion depth limits are enforced on input before delegating to ParseDict
  • If an upgrade is delayed, implement input validation to reject JSON payloads exceeding a safe depth before parsing

Generated by OpenCVE AI on April 18, 2026 at 03:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gcm-g887-7qv7 protobuf affected by a JSON recursion depth bypass
Ubuntu USN Ubuntu USN USN-8063-1 Protocol Buffers vulnerability
History

Thu, 09 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google protobuf
Google protobuf-python
Protobuf
Protobuf protobuf
Vendors & Products Google
Google protobuf
Google protobuf-python
Protobuf
Protobuf protobuf

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Description A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Title Denial of Service in Python Protobuf
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Google Protobuf Protobuf-python
Protobuf Protobuf
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-01-30T14:28:11.435Z

Reserved: 2026-01-15T15:16:22.904Z

Link: CVE-2026-0994

cve-icon Vulnrichment

Updated: 2026-01-23T15:33:53.235Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T15:16:06.840

Modified: 2026-04-09T14:19:17.700

Link: CVE-2026-0994

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-23T14:55:16Z

Links: CVE-2026-0994 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses