The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Affected Packages

Go google.golang.org/protobuf

Affected versions: 0 (fixed in 1.33.0)

Go google.golang.org/protobuf/encoding/protojson

Affected versions: 0 (fixed in 1.33.0)

Go google.golang.org/protobuf/internal/encoding/json

Affected versions: 0 (fixed in 1.33.0)

Related CVEs

CVE-2024-24786

Key Information

GHSA ID

GHSA-8r3f-844c-mc37

Published

March 6, 2024 12:31 AM

Last Modified

November 7, 2024 7:19 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

google.golang.org/protobuf

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.