Skip to content
This repository was archived by the owner on Mar 9, 2026. It is now read-only.

chore(deps): update dependency protobuf to v6.31.1 [security] - autoclosed#1423

Closed
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/pypi-protobuf-vulnerability
Closed

chore(deps): update dependency protobuf to v6.31.1 [security] - autoclosed#1423
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/pypi-protobuf-vulnerability

Conversation

@renovate-bot
Copy link
Copy Markdown
Contributor

@renovate-bot renovate-bot commented Jun 16, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobuf ==6.31.0 -> ==6.31.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
ecosystem@trailofbits.com

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

  • protobuf-python(4.25.8, 5.29.5, 6.31.1)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner June 16, 2025 22:28
@renovate-bot renovate-bot requested review from a team and nicain June 16, 2025 22:28
@trusted-contributions-gcf trusted-contributions-gcf Bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jun 16, 2025
@product-auto-label product-auto-label Bot added size: xs Pull request size is extra small. api: pubsub Issues related to the googleapis/python-pubsub API. samples Issues that are directly related to samples. labels Jun 16, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 16, 2025
@abbrowne126 abbrowne126 enabled auto-merge (squash) June 16, 2025 23:14
auto-merge was automatically disabled June 17, 2025 00:36

Head branch was pushed to by a user without write access

@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 07d2c23 to 3ec545e Compare June 17, 2025 00:36
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 3ec545e to 382ae70 Compare June 17, 2025 04:03
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@renovate-bot renovate-bot force-pushed the renovate/pypi-protobuf-vulnerability branch from 382ae70 to 57a05d9 Compare June 17, 2025 14:14
@trusted-contributions-gcf trusted-contributions-gcf Bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 17, 2025
@renovate-bot renovate-bot changed the title chore(deps): update dependency protobuf to v6.31.1 [security] chore(deps): update dependency protobuf to v6.31.1 [security] - autoclosed Jun 17, 2025
@renovate-bot renovate-bot deleted the renovate/pypi-protobuf-vulnerability branch June 17, 2025 15:54
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nicain nicain Awaiting requested review from nicain nicain is a code owner automatically assigned from googleapis/python-samples-reviewers

1 more reviewer

@abbrowne126 abbrowne126 abbrowne126 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@abbrowne126 abbrowne126

Labels

api: pubsub Issues related to the googleapis/python-pubsub API. owlbot:run Add this label to trigger the Owlbot post processor. samples Issues that are directly related to samples. size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renovate-bot @abbrowne126 @yoshi-kokoro