Skip to main content

CVE-2025-53605: CWE-674 Uncontrolled Recursion in stepancheg protobuf

Medium
VulnerabilityCVE-2025-53605cvecve-2025-53605cwe-674
Published: Sat Jul 05 2025 (07/05/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: stepancheg
Product: protobuf

Description

The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.

AI-Powered Analysis

AILast updated: 07/05/2025, 01:24:32 UTC

Technical Analysis

CVE-2025-53605 is a medium-severity vulnerability affecting the Rust protobuf crate maintained by the stepancheg project, specifically versions prior to 3.7.2. The vulnerability arises from uncontrolled recursion in the function protobuf::coded_input_stream::CodedInputStream::skip_group, which is responsible for parsing unknown fields in untrusted input data. This function is part of the protobuf deserialization process, where groups (a deprecated protobuf feature) are skipped if they are unknown to the parser. Due to improper handling, an attacker can craft malicious protobuf messages that cause the skip_group function to recurse indefinitely or to a very deep level, leading to a stack overflow or resource exhaustion. The vulnerability is classified under CWE-674 (Uncontrolled Recursion), which can result in denial of service (DoS) conditions by crashing the application or severely degrading its availability. The CVSS v3.1 base score is 5.9, reflecting a network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are currently reported in the wild, and no patches are linked in the provided data, but the vulnerability is fixed in protobuf crate version 3.7.2 and later. This vulnerability is particularly relevant for Rust applications that use the protobuf crate to deserialize untrusted or external protobuf data, such as network services, APIs, or inter-process communication systems. Attackers can exploit this vulnerability remotely by sending specially crafted protobuf messages to vulnerable services, causing crashes or denial of service without requiring authentication or user interaction.

Potential Impact

For European organizations, the impact of CVE-2025-53605 can be significant in environments where Rust-based applications utilize the vulnerable protobuf crate for processing external data. The primary risk is denial of service, which can disrupt critical services, degrade system availability, and potentially cause cascading failures in microservices architectures or distributed systems relying on protobuf for communication. Sectors such as finance, telecommunications, healthcare, and government services that increasingly adopt Rust for performance and safety may be affected if they use protobuf for data serialization. Disruption in these sectors can lead to operational downtime, loss of customer trust, and regulatory scrutiny under frameworks like GDPR if service availability impacts data processing obligations. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact alone can cause significant business interruptions. Additionally, the high attack complexity somewhat limits exploitation, but the lack of required privileges or user interaction means that exposed network-facing services remain at risk. Organizations relying on third-party Rust applications or libraries that embed protobuf should also consider indirect exposure. The absence of known exploits in the wild suggests a window for proactive mitigation before active exploitation emerges.

Mitigation Recommendations

To mitigate CVE-2025-53605, European organizations should: 1) Upgrade the protobuf crate to version 3.7.2 or later in all Rust projects to ensure the vulnerability is patched. 2) Conduct a thorough inventory of Rust applications and dependencies to identify usage of the vulnerable protobuf crate, including transitive dependencies. 3) Implement input validation and filtering at network boundaries to block or rate-limit suspicious protobuf messages, especially those containing group fields or unusually nested structures. 4) Employ runtime monitoring and anomaly detection to identify abnormal recursion or resource consumption patterns indicative of exploitation attempts. 5) For critical services, consider deploying Web Application Firewalls (WAFs) or protocol-aware proxies that can detect and block malformed protobuf payloads. 6) Engage in secure coding practices by avoiding deprecated protobuf features like groups and preferring safer serialization alternatives when possible. 7) Maintain an incident response plan that includes procedures for denial of service events caused by malformed input. 8) Collaborate with Rust and protobuf communities to stay informed about patches, advisories, and best practices. These steps go beyond generic advice by focusing on dependency management, network-level protections, and proactive monitoring tailored to the protobuf and Rust ecosystem.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-07-05T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68687b486f40f0eb72a48a41

Added to database: 7/5/2025, 1:09:28 AM

Last enriched: 7/5/2025, 1:24:32 AM

Last updated: 7/5/2025, 4:01:07 AM

Views: 4

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats