CVE-2025-53605 is a medium-severity vulnerability affecting the Rust protobuf crate maintained by the stepancheg project, specifically versions before 3.7.2. The vulnerability arises from uncontrolled recursion in the function protobuf::coded_input_stream::CodedInputStream::skip_group, which is responsible for parsing unknown fields in Protocol Buffers (protobuf) messages. When untrusted input is processed, this uncontrolled recursion can lead to a stack overflow or denial of service (DoS) condition due to excessive recursive calls without proper termination checks. This vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the recursive parsing logic does not have adequate safeguards to prevent infinite or excessively deep recursion. The CVSS v3.1 base score is 5.9 (medium), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are currently reported in the wild, and no official patches or updates are linked yet, though the vulnerability is fixed in version 3.7.2 and later. The vulnerability affects any Rust application using the protobuf crate versions prior to 3.7.2 that processes untrusted protobuf messages containing unknown fields, potentially allowing attackers to trigger denial of service by sending crafted protobuf data that causes the parser to recurse uncontrollably and crash or hang the application.

For European organizations, this vulnerability poses a significant risk primarily to availability of services that rely on Rust applications using the vulnerable protobuf crate for message serialization and deserialization. Applications processing untrusted protobuf input—such as network services, APIs, or inter-service communication layers—may be susceptible to denial of service attacks, leading to service outages or degraded performance. This can affect sectors including finance, telecommunications, healthcare, and critical infrastructure where Rust-based microservices or backend components are deployed. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can disrupt business operations, cause financial losses, and damage reputation. Given the increasing adoption of Rust in performance-critical and security-sensitive applications across Europe, the risk is non-trivial. The lack of known exploits currently reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once the vulnerability becomes widely known.

European organizations should prioritize upgrading the protobuf crate to version 3.7.2 or later in all Rust projects to eliminate the uncontrolled recursion vulnerability. For applications where immediate upgrade is not feasible, implement input validation and filtering to reject or sanitize protobuf messages containing unknown groups or fields before parsing. Employ runtime monitoring and resource limits to detect and mitigate excessive recursion or stack usage, such as configuring process-level stack size limits or using sandboxing techniques. Conduct thorough code audits to identify any custom protobuf parsing logic that might be vulnerable. Additionally, implement robust logging and alerting to detect anomalous protobuf message patterns indicative of exploitation attempts. Coordinate with software supply chain teams to ensure all dependencies are updated promptly and maintain an inventory of Rust-based components using protobuf. Finally, consider deploying Web Application Firewalls (WAFs) or network-level protections to block suspicious protobuf traffic patterns if protobuf messages are transmitted over network protocols.