CVE-2025-53605: CWE-674 Uncontrolled Recursion in stepancheg protobuf
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
AI Analysis
Technical Summary
CVE-2025-53605 is a medium-severity vulnerability affecting the Rust protobuf crate maintained by the stepancheg project, specifically versions before 3.7.2. The vulnerability arises from uncontrolled recursion in the function protobuf::coded_input_stream::CodedInputStream::skip_group, which is responsible for parsing unknown fields in Protocol Buffers (protobuf) messages. When untrusted input is processed, this uncontrolled recursion can lead to a stack overflow or denial of service (DoS) condition due to excessive recursive calls without proper termination checks. This vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the recursive parsing logic does not have adequate safeguards to prevent infinite or excessively deep recursion. The CVSS v3.1 base score is 5.9 (medium), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are currently reported in the wild, and no official patches or updates are linked yet, though the vulnerability is fixed in version 3.7.2 and later. The vulnerability affects any Rust application using the protobuf crate versions prior to 3.7.2 that processes untrusted protobuf messages containing unknown fields, potentially allowing attackers to trigger denial of service by sending crafted protobuf data that causes the parser to recurse uncontrollably and crash or hang the application.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to availability of services that rely on Rust applications using the vulnerable protobuf crate for message serialization and deserialization. Applications processing untrusted protobuf input—such as network services, APIs, or inter-service communication layers—may be susceptible to denial of service attacks, leading to service outages or degraded performance. This can affect sectors including finance, telecommunications, healthcare, and critical infrastructure where Rust-based microservices or backend components are deployed. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can disrupt business operations, cause financial losses, and damage reputation. Given the increasing adoption of Rust in performance-critical and security-sensitive applications across Europe, the risk is non-trivial. The lack of known exploits currently reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once the vulnerability becomes widely known.
Mitigation Recommendations
European organizations should prioritize upgrading the protobuf crate to version 3.7.2 or later in all Rust projects to eliminate the uncontrolled recursion vulnerability. For applications where immediate upgrade is not feasible, implement input validation and filtering to reject or sanitize protobuf messages containing unknown groups or fields before parsing. Employ runtime monitoring and resource limits to detect and mitigate excessive recursion or stack usage, such as configuring process-level stack size limits or using sandboxing techniques. Conduct thorough code audits to identify any custom protobuf parsing logic that might be vulnerable. Additionally, implement robust logging and alerting to detect anomalous protobuf message patterns indicative of exploitation attempts. Coordinate with software supply chain teams to ensure all dependencies are updated promptly and maintain an inventory of Rust-based components using protobuf. Finally, consider deploying Web Application Firewalls (WAFs) or network-level protections to block suspicious protobuf traffic patterns if protobuf messages are transmitted over network protocols.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-53605: CWE-674 Uncontrolled Recursion in stepancheg protobuf
Description
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
AI-Powered Analysis
Technical Analysis
CVE-2025-53605 is a medium-severity vulnerability affecting the Rust protobuf crate maintained by the stepancheg project, specifically versions before 3.7.2. The vulnerability arises from uncontrolled recursion in the function protobuf::coded_input_stream::CodedInputStream::skip_group, which is responsible for parsing unknown fields in Protocol Buffers (protobuf) messages. When untrusted input is processed, this uncontrolled recursion can lead to a stack overflow or denial of service (DoS) condition due to excessive recursive calls without proper termination checks. This vulnerability is classified under CWE-674 (Uncontrolled Recursion), indicating that the recursive parsing logic does not have adequate safeguards to prevent infinite or excessively deep recursion. The CVSS v3.1 base score is 5.9 (medium), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are currently reported in the wild, and no official patches or updates are linked yet, though the vulnerability is fixed in version 3.7.2 and later. The vulnerability affects any Rust application using the protobuf crate versions prior to 3.7.2 that processes untrusted protobuf messages containing unknown fields, potentially allowing attackers to trigger denial of service by sending crafted protobuf data that causes the parser to recurse uncontrollably and crash or hang the application.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to availability of services that rely on Rust applications using the vulnerable protobuf crate for message serialization and deserialization. Applications processing untrusted protobuf input—such as network services, APIs, or inter-service communication layers—may be susceptible to denial of service attacks, leading to service outages or degraded performance. This can affect sectors including finance, telecommunications, healthcare, and critical infrastructure where Rust-based microservices or backend components are deployed. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can disrupt business operations, cause financial losses, and damage reputation. Given the increasing adoption of Rust in performance-critical and security-sensitive applications across Europe, the risk is non-trivial. The lack of known exploits currently reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once the vulnerability becomes widely known.
Mitigation Recommendations
European organizations should prioritize upgrading the protobuf crate to version 3.7.2 or later in all Rust projects to eliminate the uncontrolled recursion vulnerability. For applications where immediate upgrade is not feasible, implement input validation and filtering to reject or sanitize protobuf messages containing unknown groups or fields before parsing. Employ runtime monitoring and resource limits to detect and mitigate excessive recursion or stack usage, such as configuring process-level stack size limits or using sandboxing techniques. Conduct thorough code audits to identify any custom protobuf parsing logic that might be vulnerable. Additionally, implement robust logging and alerting to detect anomalous protobuf message patterns indicative of exploitation attempts. Coordinate with software supply chain teams to ensure all dependencies are updated promptly and maintain an inventory of Rust-based components using protobuf. Finally, consider deploying Web Application Firewalls (WAFs) or network-level protections to block suspicious protobuf traffic patterns if protobuf messages are transmitted over network protocols.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-07-05T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68687b486f40f0eb72a48a41
Added to database: 7/5/2025, 1:09:28 AM
Last enriched: 7/14/2025, 9:25:26 PM
Last updated: 7/16/2025, 11:26:25 PM
Views: 28
Related Threats
CVE-2025-7729: Cross Site Scripting in Scada-LTS
MediumCVE-2025-5396: CWE-94 Improper Control of Generation of Code ('Code Injection') in Bearsthemes Bears Backup
CriticalCVE-2025-7728: Cross Site Scripting in Scada-LTS
MediumCVE-2025-34128: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in X360Soft X360 VideoPlayer ActiveX Control
HighCVE-2025-34132: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Merit LILIN DVR Firmware
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.