Voozh

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion

High severity GitHub Reviewed Published in protocolbuffers/protobuf • Updated

Package

google/protobuf (Composer)

Affected versions

< 4.33.6

Patched versions

4.33.6

Description

Impact

A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative varints or deep recursion—can be used to crash the application, impacting service availability.

Patches

Patches have been released to 5.34.0-RC1 and 4.33.6.

References

👁 @shaod2
shaod2 published to protocolbuffers/protobuf

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction Passive

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability High

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS score

(28th percentile)

Weaknesses

CVE ID

CVE-2026-6409

GHSA ID

GHSA-p2gh-cfq4-4wjc

Source code

protocolbuffers/protobuf

Credits

👁 @34selen
34selen Reporter

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-p2gh-cfq4-4wjc

⇱ Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion · CVE-2026-6409 · GitHub Advisory Database · GitHub