Skip to content

protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 8.6) #6441

New issue
New issue
Open
Open
protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl: 1 vulnerabilities (highest severity is: 8.6)#6441
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourceuntriaged
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jan 28, 2026
Vulnerable Library - protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

No project description provided

Library home page: https://files.pythonhosted.org/packages/d6/c6/c9deaa6e789b6fc41b88ccbdfe7a42d2b82663248b715f55aa77fbc00724/protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

Path to dependency file: /examples/trace-analytics-sample-app/sample-app/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260130225532_CBCNNY/python_LPBYUT/202601302255321/env/lib/python3.9/site-packages/protobuf-4.25.8.dist-info

Found in HEAD commit: aff23afca7be6eb37ce42d1448e445bc8b72b853

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (protobuf version) Remediation Possible**
CVE-2026-0994 High 8.6 protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-0994

Vulnerable Library - protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

No project description provided

Library home page: https://files.pythonhosted.org/packages/d6/c6/c9deaa6e789b6fc41b88ccbdfe7a42d2b82663248b715f55aa77fbc00724/protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

Path to dependency file: /examples/trace-analytics-sample-app/sample-app/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260130225532_CBCNNY/python_LPBYUT/202601302255321/env/lib/python3.9/site-packages/protobuf-4.25.8.dist-info

Dependency Hierarchy:

  • protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: aff23afca7be6eb37ce42d1448e445bc8b72b853

Found in base branch: main

Vulnerability Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Publish Date: 2026-01-23

URL: CVE-2026-0994

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSourceuntriaged

    Type

    No type

    Projects

    Data Prepper Tracking Board

    Status

    Unplanned

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions