GHSA-2gh3-rmm4-6rq5: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-2gh3-rmm4-6rq5) affects the protobuf crate in Rust, where versions prior to 3.7.2 are susceptible to a crash due to uncontrolled recursion. The issue was discovered in December 2024 and publicly disclosed on March 7, 2025. The vulnerability stems from improper parsing of unknown fields in user-supplied input (GitHub Advisory, RustSec Advisory).

The vulnerability exists in the protobuf crate's handling of unknown fields during message parsing. The issue specifically affects the CodedInputStream::skip_group function, which fails to implement proper depth checking when processing nested groups. This implementation oversight allows for unbounded recursion when parsing deeply nested group structures. The vulnerability has been assigned a CVSS score of 6.6 (Moderate severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U (GitHub Advisory).

When exploited, this vulnerability can lead to stack overflow conditions, potentially causing application crashes through denial of service. The impact is primarily focused on availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in version 3.7.2 of the protobuf crate. The fix implements a depth limit check for unknown groups to prevent unbounded recursion. Users should upgrade to version 3.7.2 or later to address this security issue (GitHub Advisory).