Skip to content

chore(deps): update dependency protobuf to v6.31.1 [security] #2422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 28, 2025
Merged

chore(deps): update dependency protobuf to v6.31.1 [security] #2422

merged 3 commits into from
Aug 28, 2025

Conversation

renovate-bot
Copy link
Contributor

This PR contains the following updates:

Package Change Age Confidence
protobuf ==6.31.0 -> ==6.31.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[email protected]

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

  • protobuf-python(4.25.8, 5.29.5, 6.31.1)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner August 10, 2025 10:35
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Aug 10, 2025
@product-auto-label product-auto-label bot added the size: s Pull request size is small. label Aug 10, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 67c1210 to c585401 Compare August 10, 2025 16:10
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from c585401 to a5c5e52 Compare August 10, 2025 21:06
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from a5c5e52 to 41d6aea Compare August 11, 2025 05:13
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 41d6aea to 1a0fdb3 Compare August 11, 2025 14:35
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 1a0fdb3 to 637ecac Compare August 11, 2025 21:25
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 637ecac to 1001d19 Compare August 12, 2025 11:34
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 1001d19 to 8c9a585 Compare August 12, 2025 17:40
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 8c9a585 to 07e0de0 Compare August 13, 2025 01:07
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 25, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from b1a9b45 to e3c8c96 Compare August 25, 2025 13:03
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 25, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 25, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from e3c8c96 to 7c7c604 Compare August 25, 2025 21:52
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 25, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 25, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 7c7c604 to 7703387 Compare August 26, 2025 07:55
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 26, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 26, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 7703387 to 4d10646 Compare August 26, 2025 22:52
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 26, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 26, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 4d10646 to 7d10dbc Compare August 27, 2025 06:26
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 27, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 27, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 7d10dbc to a7a2e26 Compare August 27, 2025 23:29
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 27, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 27, 2025
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 28, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 28, 2025
@forking-renovate Forking Renovate
Copy link

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 28, 2025
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 28, 2025
@parthea parthea enabled auto-merge (squash) August 28, 2025 01:36
@parthea parthea merged commit 778cf17 into googleapis:main Aug 28, 2025
121 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@parthea parthea parthea approved these changes

Assignees

@parthea parthea

Labels
kokoro:force-run Add this label to force Kokoro to re-run the tests. size: s Pull request size is small.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renovate-bot @parthea