{"id":"GO-2024-2611","summary":"Infinite loop in JSON unmarshaling in google.golang.org/protobuf","details":"The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.","aliases":["CVE-2024-24786","GHSA-8r3f-844c-mc37"],"modified":"2026-04-04T10:29:11.501227111Z","published":"2024-03-05T20:24:05Z","related":["CGA-p6mq-m46f-v73f","RHSA-2024:0043","RHSA-2024:0045","RHSA-2024:1456","RHSA-2024:1461","RHSA-2024:1563","RHSA-2024:1574","RHSA-2024:1874","RHSA-2024:2548","RHSA-2024:2549","RHSA-2024:2550","RHSA-2024:3254","RHSA-2024:3634","RHSA-2024:3635","RHSA-2024:3636","RHSA-2024:3715","RHSA-2024:4246","RHSA-2024:4597"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2611"},"references":[{"type":"FIX","url":"https://go.dev/cl/569356"}],"affected":[{"package":{"name":"google.golang.org/protobuf","ecosystem":"Go","purl":"pkg:golang/google.golang.org/protobuf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.33.0"}]}],"ecosystem_specific":{"imports":[{"path":"google.golang.org/protobuf/encoding/protojson","symbols":["Unmarshal","UnmarshalOptions.Unmarshal","UnmarshalOptions.unmarshal"]},{"path":"google.golang.org/protobuf/internal/encoding/json","symbols":["Decoder.Peek","Decoder.Read"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2611.json"}}],"schema_version":"1.7.5"}