deps: update dependency com.google.protobuf:protobuf-java to v3.25.5 [security] #4440

renovate-bot · 2024-09-19T16:27:42Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.protobuf:protobuf-java (source)	`3.25.1` -> `3.25.5`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-7254

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected]

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

protobuf-java (3.25.5, 4.27.5, 4.28.2)
protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

Release Notes

protocolbuffers/protobuf (com.google.protobuf:protobuf-java)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

…[security]

renovate-bot requested a review from a team as a code owner September 19, 2024 16:27

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Sep 19, 2024

product-auto-label bot added size: xs Pull request size is extra small. api: bigtable Issues related to the googleapis/java-bigtable-hbase API. labels Sep 19, 2024

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Sep 19, 2024

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 19, 2024

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from b9af5b1 to ad95544 Compare October 28, 2024 16:13

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 28, 2024

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 28, 2024

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from ad95544 to 3d7cc59 Compare January 23, 2025 23:09

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 3d7cc59 to 972e5cf Compare March 17, 2025 12:55

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 17, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 17, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 972e5cf to 21946dd Compare April 8, 2025 13:42

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 8, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 8, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 21946dd to 1f57986 Compare May 28, 2025 08:53

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 1f57986 to 65633e2 Compare May 28, 2025 17:40

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 65633e2 to 38d9f8a Compare May 28, 2025 23:09

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 38d9f8a to 5900f1b Compare May 29, 2025 01:24

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 29, 2025

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 7, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 7, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 8563a3b to 2ae067d Compare October 7, 2025 15:45

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 7, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 7, 2025

renovate-bot force-pushed the renovate/maven-com.google.protobuf-protobuf-java-vulnerability branch from 2ae067d to d71a7a6 Compare October 8, 2025 00:15

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 8, 2025