Skip to content

chore(deps): update dependency protobuf to v5.29.5 [security] #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency protobuf to v5.29.5 [security] #271

renovate wants to merge 1 commit into from
+2 −2

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 16, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
protobuf ==5.29.1==5.29.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
ecosystem@trailofbits.com

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

  • protobuf-python(4.25.8, 5.29.5, 6.31.1)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 8 times, most recently from 6adf708 to 0c6699b Compare June 21, 2025 01:30
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 4 times, most recently from 78843a5 to 53b776e Compare June 27, 2025 18:56
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 4 times, most recently from 118cb56 to 1d3bf7d Compare July 10, 2025 03:48
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 8 times, most recently from 92ca4b5 to 3e24397 Compare July 23, 2025 17:47
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from a38b0c0 to ddec5d3 Compare July 24, 2025 22:46
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from ddec5d3 to 27db0ce Compare July 24, 2025 23:09
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 27db0ce to 338d231 Compare July 24, 2025 23:32
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 7 times, most recently from 1abf619 to 8a28d8b Compare September 18, 2025 21:15
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 8a28d8b to 0f05f3b Compare September 20, 2025 00:47
@renovate renovate bot changed the title chore(deps): update dependency protobuf to v5.29.5 [security] chore(deps): update dependency protobuf to v5.29.5 [security] - autoclosed Oct 1, 2025
@renovate renovate bot closed this Oct 1, 2025
@renovate renovate bot changed the title chore(deps): update dependency protobuf to v5.29.5 [security] - autoclosed chore(deps): update dependency protobuf to v5.29.5 [security] Oct 2, 2025
@renovate renovate bot reopened this Oct 2, 2025
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from a8e2e54 to 0f05f3b Compare October 2, 2025 01:38
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 3 times, most recently from 9ff4004 to f99df51 Compare November 3, 2025 22:36
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 4 times, most recently from ab68fad to 8eae408 Compare November 25, 2025 20:48
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 3 times, most recently from 8998890 to 1fe182e Compare December 3, 2025 04:36
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from 53706c3 to dab0eee Compare December 11, 2025 09:13
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from dab0eee to 9ea2b08 Compare December 17, 2025 00:37
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch 2 times, most recently from 3bd8305 to 639fd96 Compare January 7, 2026 10:55
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 639fd96 to 6b883dc Compare January 8, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant