Advisories for Cargo/Protobuf package

2025

Crash due to uncontrolled recursion in protobuf crate

Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input. This allows an attacker to cause a stack overflow when parsing the message on untrusted data.

2021

Uncontrolled memory consumption in protobuf

Affected versions of this crate called Vec::reserve() on user-supplied input. This allows an attacker to cause an Out of Memory condition while calling the vulnerable method on untrusted data.