PYSEC-2026-1805

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/protobuf/PYSEC-2026-1805.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2026-1805
Aliases
Published
2026-07-07T16:03:20.164682Z
Modified
2026-07-07T17:47:53.247887825Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L CVSS Calculator
Summary
protobuf affected by a JSON recursion depth bypass
Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.jsonformat.ParseDict() in Python, where the maxrecursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

References

Affected packages

PyPI / protobuf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.29.6
Introduced
6.30.0rc1
Fixed
6.33.5

Affected versions

2.*
2.0.0beta
2.0.3
2.3.0
2.4.1
2.5.0
2.6.0
2.6.1
3.*
3.0.0a2
3.0.0a3
3.0.0b1
3.0.0b1.post1
3.0.0b1.post2
3.0.0b2
3.0.0b2.post1
3.0.0b2.post2
3.0.0b3
3.0.0b4
3.0.0
3.1.0
3.1.0.post1
3.2.0rc1
3.2.0rc1.post1
3.2.0rc2
3.2.0
3.3.0
3.4.0
3.5.0.post1
3.5.1
3.5.2
3.5.2.post1
3.6.0
3.6.1
3.7.0rc2
3.7.0rc3
3.7.0
3.7.1
3.8.0rc1
3.8.0
3.9.0rc1
3.9.0
3.9.1
3.9.2
3.10.0rc1
3.10.0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0rc1
3.12.0rc2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0rc3
3.13.0
3.14.0rc1
3.14.0rc2
3.14.0rc3
3.14.0
3.15.0rc1
3.15.0rc2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0rc1
3.16.0rc2
3.16.0
3.17.0rc1
3.17.0rc2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0rc1
3.18.0rc2
3.18.0
3.18.1
3.18.3
3.19.0rc1
3.19.0rc2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.19.5
3.19.6
3.20.0rc1
3.20.0rc2
3.20.0
3.20.1rc1
3.20.1
3.20.2
3.20.3
4.*
4.0.0rc1
4.0.0rc2
4.21.0rc1
4.21.0rc2
4.21.0
4.21.1
4.21.2
4.21.3
4.21.4
4.21.5
4.21.6
4.21.7
4.21.8
4.21.9
4.21.10
4.21.11
4.21.12
4.22.0rc1
4.22.0rc2
4.22.0rc3
4.22.0
4.22.1
4.22.3
4.22.4
4.22.5
4.23.0rc2
4.23.0rc3
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.24.0rc1
4.24.0rc2
4.24.0rc3
4.24.0
4.24.1
4.24.2
4.24.3
4.24.4
4.25.0rc1
4.25.0rc2
4.25.0
4.25.1
4.25.2
4.25.3
4.25.4
4.25.5
4.25.6
4.25.7
4.25.8
4.25.9
5.*
5.26.0rc1
5.26.0rc2
5.26.0rc3
5.26.0
5.26.1
5.27.0rc1
5.27.0rc2
5.27.0rc3
5.27.0
5.27.1
5.27.2
5.27.3
5.27.4
5.27.5
5.28.0rc1
5.28.0rc2
5.28.0rc3
5.28.0
5.28.1
5.28.2
5.28.3
5.29.0rc1
5.29.0rc2
5.29.0rc3
5.29.0
5.29.1
5.29.2
5.29.3
5.29.4
5.29.5
6.*
6.30.0rc1
6.30.0rc2
6.30.0
6.30.1
6.30.2
6.31.0rc1
6.31.0rc2
6.31.0
6.31.1
6.32.0rc1
6.32.0rc2
6.32.0
6.32.1
6.33.0rc1
6.33.0rc2
6.33.0
6.33.1
6.33.2
6.33.3
6.33.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/protobuf/PYSEC-2026-1805.yaml"