deps: update dependency com.google.protobuf:protobuf-java to v3.25.5 [security] #2060

renovate-bot · 2025-01-23T18:34:37Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.google.protobuf:protobuf-java (source)	`3.21.12` -> `3.25.5`

GitHub Vulnerability Alerts

CVE-2024-7254

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected]

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

protobuf-java (3.25.5, 4.27.5, 4.28.2)
protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

Release Notes

protocolbuffers/protobuf (com.google.protobuf:protobuf-java)

`v3.25.5`

Compare Source

`v3.25.4`

`v3.25.3`

Compare Source

`v3.25.2`

`v3.23.4`

`v3.23.2`

Compare Source

`v3.23.1`

Compare Source

`v3.23.0`

Compare Source

`v3.22.4`

Compare Source

`v3.22.3`

Compare Source

`v3.22.2`

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

dpebot · 2025-01-23T18:34:45Z

/gcbrun

dpebot · 2025-02-04T20:25:16Z

/gcbrun

dpebot · 2025-03-03T17:27:47Z

/gcbrun

dpebot · 2025-04-28T14:46:24Z

/gcbrun

ldetmer · 2025-04-28T15:01:25Z

also seems not java 7 compliant

forking-renovate · 2025-04-28T15:39:27Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

dpebot · 2025-05-28T07:53:13Z

/gcbrun

dpebot · 2025-05-28T12:44:44Z

/gcbrun

dpebot · 2025-05-28T22:08:21Z

/gcbrun

dpebot · 2025-06-02T05:49:40Z

/gcbrun

dpebot · 2025-06-02T11:00:06Z

/gcbrun

dpebot · 2025-06-02T16:11:19Z

/gcbrun

dpebot · 2025-06-02T19:13:21Z

/gcbrun

dpebot · 2025-06-02T23:10:22Z

/gcbrun

dpebot · 2025-06-03T02:06:11Z

/gcbrun

…[security]

dpebot · 2025-06-03T05:35:06Z

/gcbrun

renovate-bot requested a review from a team as a code owner January 23, 2025 18:34

product-auto-label bot added the size: xs Pull request size is extra small. label Jan 23, 2025

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jan 23, 2025

renovate-bot force-pushed the renovate/project.protobuf-java.version branch from a797ca2 to c684b51 Compare February 4, 2025 20:25

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 4, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Feb 4, 2025

renovate-bot force-pushed the renovate/project.protobuf-java.version branch from c684b51 to 9f4f4fc Compare March 3, 2025 17:27

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 3, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 3, 2025

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 28, 2025

renovate-bot force-pushed the renovate/project.protobuf-java.version branch from 02fe0bd to edb3bfa Compare May 28, 2025 07:53

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

renovate-bot force-pushed the renovate/project.protobuf-java.version branch from edb3bfa to 3bd5a10 Compare May 28, 2025 12:44

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

renovate-bot force-pushed the renovate/project.protobuf-java.version branch from 3bd5a10 to 44e5b62 Compare May 28, 2025 22:08

trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025

yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 28, 2025