CVE-2025-53605 is a denial-of-service vulnerability in the Rust protobuf crate, affecting versions prior to 3.7.2. The flaw allows uncontrolled recursion in CodedInputStream::skip_group when processing unknown fields from untrusted input, potentially leading to a stack overflow and DoS. The fix, introduced in version 3.7.2, adds depth checks and recursion accounting. Users of the Rust protobuf library should upgrade to 3.7.2 or later to mitigate the risk. This vulnerability is particularly relevant for developers and system administrators managing Rust-based software that parses untrusted protobuf data.
-
The Rust ecosystem’s widely used protobuf crate contains a denial‑of‑service flaw: CVE‑2025‑53605 affects versions before 3.7.2 and permits uncontrolled recursion in protobuf::coded_input_stream::CodedInputStream::skip_group when processing unknown fields from untrusted input. The maintainers...