CVE-2025-53605: Crash due to uncontrolled recursion in protobuf crate

March 7, 2025 (updated August 1, 2025)

Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.

This allows an attacker to cause a stack overflow when parsing the message on untrusted data.

References

github.com/advisories/GHSA-2gh3-rmm4-6rq5
github.com/stepancheg/rust-protobuf
github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6
github.com/stepancheg/rust-protobuf/issues/749
nvd.nist.gov/vuln/detail/CVE-2025-53605
rustsec.org/advisories/RUSTSEC-2024-0437.html

Code Behaviors & Features

Detect and mitigate CVE-2025-53605 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →