Skip to content

Update dependency protobuf to v5.29.5 [SECURITY] #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency protobuf to v5.29.5 [SECURITY] #38

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 16, 2025
edited
Loading

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
protobuf 5.28.0 -> 5.29.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
ecosystem@trailofbits.com

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

  • protobuf-python(4.25.8, 5.29.5, 6.31.1)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from f5b6a56 to 6e4cf90 Compare June 17, 2025 12:32
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Jun 17, 2025
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Jun 17, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 6e4cf90 to 513a70d Compare June 18, 2025 07:29
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Jun 18, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 513a70d to 84a9e53 Compare June 18, 2025 12:11
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Jun 18, 2025
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] - autoclosed Jun 20, 2025
@renovate renovate bot closed this Jun 20, 2025
@renovate renovate bot deleted the renovate/pypi-protobuf-vulnerability branch June 20, 2025 15:41
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] - autoclosed Update dependency protobuf to v5.29.5 [SECURITY] Jun 20, 2025
@renovate renovate bot reopened this Jun 20, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 9e1b91a to 84a9e53 Compare June 20, 2025 21:09
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Jun 26, 2025
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Jun 26, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 84a9e53 to 3ccb7a1 Compare June 26, 2025 10:32
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Jun 27, 2025
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Jun 27, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 3ccb7a1 to 498f2c0 Compare July 2, 2025 17:58
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Aug 5, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 498f2c0 to 25d8a9e Compare August 5, 2025 16:46
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Aug 5, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from 68e5ad6 to c503aef Compare August 10, 2025 14:59
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Aug 19, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from c503aef to b00d29f Compare August 19, 2025 13:03
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Aug 19, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from b00d29f to d73bb2d Compare August 19, 2025 21:50
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Aug 21, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from d73bb2d to c356b3c Compare August 21, 2025 04:50
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Aug 21, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from 9d41465 to 088473f Compare August 24, 2025 09:59
@renovate renovate bot changed the title Update dependency protobuf to v5.29.5 [SECURITY] Update dependency protobuf to v6 [SECURITY] Aug 31, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 088473f to c7ce762 Compare August 31, 2025 14:03
@renovate renovate bot changed the title Update dependency protobuf to v6 [SECURITY] Update dependency protobuf to v5.29.5 [SECURITY] Aug 31, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from c7ce762 to 271ed84 Compare August 31, 2025 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants