chore(deps): update dependency protobuf to v6.31.1 [security] by renovate-bot · Pull Request #2422 · googleapis/gapic-generator-python

renovate-bot · 2025-08-10T10:35:24Z

This PR contains the following updates:

Package	Change	Age	Confidence
protobuf	`==6.31.0` -> `==6.31.1`

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
ecosystem@trailofbits.com

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

protobuf-python(4.25.8, 5.29.5, 6.31.1)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

forking-renovate · 2025-08-28T01:05:39Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

renovate-bot requested a review from a team August 10, 2025 10:35

trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Aug 10, 2025

blunderbuss-gcf bot assigned parthea Aug 10, 2025

product-auto-label bot added the size: s Pull request size is small. label Aug 10, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 67c1210 to c585401 Compare August 10, 2025 16:10

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from c585401 to a5c5e52 Compare August 10, 2025 21:06

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 10, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from a5c5e52 to 41d6aea Compare August 11, 2025 05:13

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 41d6aea to 1a0fdb3 Compare August 11, 2025 14:35

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 1a0fdb3 to 637ecac Compare August 11, 2025 21:25

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 11, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 637ecac to 1001d19 Compare August 12, 2025 11:34

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 1001d19 to 8c9a585 Compare August 12, 2025 17:40

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 12, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 8c9a585 to 07e0de0 Compare August 13, 2025 01:07

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from f57eb2c to 58166bd Compare August 15, 2025 05:19

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 58166bd to 3921f6e Compare August 15, 2025 12:23

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 3921f6e to 5dee86c Compare August 15, 2025 20:49

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 15, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 5dee86c to 1b6719f Compare August 16, 2025 06:13

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 1b6719f to 3e4efe9 Compare August 16, 2025 14:30

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 3e4efe9 to 6c5bdbf Compare August 16, 2025 22:28

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 16, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 6c5bdbf to ae09000 Compare August 17, 2025 05:44

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 17, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 17, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from ae09000 to 405fd94 Compare August 17, 2025 12:57

trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 17, 2025

gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 17, 2025

renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 405fd94 to 96bc928 Compare August 17, 2025 22:34

renovate-bot and others added 2 commits August 27, 2025 23:29

chore(deps): update dependency protobuf to v6.31.1 [security]

a7a2e26

Merge branch 'main' into renovate/pypi-protobuf-vulnerability

feadbc1

parthea approved these changes Aug 28, 2025

View reviewed changes

Merge branch 'main' into renovate/pypi-protobuf-vulnerability

a259927

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency protobuf to v6.31.1 [security]#2422

chore(deps): update dependency protobuf to v6.31.1 [security]#2422
parthea merged 3 commits intogoogleapis:mainfrom
renovate-bot:renovate/pypi-protobuf-vulnerability

renovate-bot commented Aug 10, 2025

Uh oh!

forking-renovate bot commented Aug 28, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

renovate-bot commented Aug 10, 2025

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Severity

Proof of Concept

Remediation and Mitigation

Configuration

Uh oh!

forking-renovate bot commented Aug 28, 2025

Edited/Blocked Notification

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants