CybrWolf

Menu

CVE‑2025‑53605: Denial-of-Service in Rust protobuf Crate

cve-2025-53605: denial of service in rust protobuf

CVE‑2025‑53605 is a medium-severity vulnerability in the widely used Rust protobuf crate (versions before 3.7.2). An attacker exploiting uncontrolled recursion in parsing unknown fields can trigger excessive resource use, leading to a Denial-of-Service (DoS) attack.

Vulnerability Details

  • CVE ID: CVE‑2025‑53605
  • Affected Software: Rust protobuf crate (used in services/apps parsing protocol buffer data)
  • Affected Versions: Before 3.7.2
  • CWE Identifier: CWE‑674 – Uncontrolled Recursion
  • CVSS v3.1 Score: 5.9 (Medium)
    Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVSS v2.0 Score: 5.4 (Medium)
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality – None
  • Availability – High
  • Integrity – None
CVE ID

CVE‑2025‑53605

Unique ID for tracking the protobuf crate vulnerability.
Affected Software

Rust protobuf crate

Impacts projects using Rust’s protobuf library.
Affected Versions

Before 3.7.2

All protobuf versions prior to 3.7.2.
CWE Identifier

CWE-674

Uncontrolled recursion risk in data parsing.
CVSS v3.1 Score

5.9 (Medium)

Medium risk — can cause denial-of-service.
Attack Vector

Network

Triggered by sending crafted protobuf data.
Privileges Required

None

No special permissions needed to exploit.
User Interaction

None

Works without user input or actions.
Scope

Unchanged

Stays within the same execution context.
Confidentiality Impact

None

Does not expose sensitive data.
Integrity Impact

None

Does not allow data tampering.
Availability Impact

High

Can crash or hang systems parsing malicious data.

Exploitation Path

By sending crafted protobuf data containing deeply nested or unknown fields, an attacker can cause the CodedInputStream::skip_group function to recurse indefinitely. This unbounded recursion consumes CPU and memory, potentially crashing or hanging the application.

Although no public exploits are confirmed, systems using unverified protobuf input—especially from untrusted sources can be at risk.

Mitigation Steps

To address this vulnerability:

  1. Upgrade Immediately: Update the protobuf crate to version 3.7.2 or later, where the recursion issue is resolved.
  2. Validate Protobuf Inputs: Limit recursion depth or reject malformed/unknown fields in incoming messages.
  3. Monitor Application Health: Watch for high CPU/memory usage spikes or crashes in services using the crate.
  4. Implement Fallbacks: Use circuit breakers or rate limits on parsing untrusted data.

References & Attribution

NVD Entry for CVE-2025-53605 – National Vulnerability Database summary

https://nvd.nist.gov/vuln/detail/CVE-2025-53605

MITRE CVE Program – Source of CVE metadata and classification
© 1999–2025 The MITRE Corporation. Licensed under the MITRE CVE Terms of Use.
https://www.cve.org/Legal/TermsOfUse

https://rustsec.org/advisories/RUSTSEC-2024-0437

https://github.com/stepancheg/rust-protobuf/issues/749

https://crates.io/crates/protobuf

Subscribe to CybrWolf and stay ahead of threats.

Tagged