CVE-2024-24786 Overview
CVE-2024-24786 is a denial of service vulnerability in Google's Protocol Buffers (protobuf) Go implementation, specifically affecting the protojson.Unmarshal function. The function can enter an infinite loop when processing certain forms of invalid JSON input, causing the affected application to become unresponsive and consume excessive CPU resources.
Critical Impact
Applications using Go's protojson package to parse untrusted JSON input are vulnerable to denial of service attacks through specially crafted malformed JSON payloads that cause infinite loops during unmarshaling operations.
Affected Products
- Go protobuf library (google.golang.org/protobuf)
- Applications using protojson.Unmarshal with google.protobuf.Any types
- Applications using UnmarshalOptions.DiscardUnknown option
Discovery Timeline
- 2024-03-05 - CVE-2024-24786 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24786
Vulnerability Analysis
The vulnerability exists in the JSON unmarshaling logic within the Go protobuf library's protojson package. When the protojson.Unmarshal function processes specially crafted invalid JSON data, it can enter an infinite loop condition. This issue is particularly concerning because it can be triggered remotely by an attacker who can supply JSON input to a vulnerable application.
The infinite loop condition manifests under two specific scenarios: when unmarshaling JSON data into a message that contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is enabled during unmarshaling. In both cases, the parsing logic fails to properly terminate when encountering malformed input, resulting in the application thread becoming stuck in an endless processing cycle.
This vulnerability represents a classic algorithmic complexity attack where malformed input causes the parser to enter an unrecoverable state, effectively denying service to legitimate users.
Root Cause
The root cause of this vulnerability lies in improper input validation within the JSON parsing logic of the protojson.Unmarshal function. When processing certain malformed JSON structures, the parser's state machine fails to detect the invalid condition and advance past the problematic input, instead repeatedly attempting to process the same data. The lack of proper bounds checking or loop termination conditions allows the infinite loop to persist indefinitely.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted JSON payload to any application endpoint that uses protojson.Unmarshal to parse untrusted input. The attack is particularly effective against:
- API endpoints accepting JSON-encoded Protocol Buffer messages
- Microservices using gRPC-JSON transcoding
- Any Go application that deserializes user-supplied JSON into protobuf messages
The attack does not compromise confidentiality or integrity, but completely impacts availability by causing the affected application thread or process to hang indefinitely. A sustained attack with multiple malicious requests could exhaust all available worker threads, rendering the entire service unavailable.
Detection Methods for CVE-2024-24786
Indicators of Compromise
- Sudden increase in CPU utilization with application threads showing infinite loop behavior
- Application processes becoming unresponsive or timing out when handling JSON parsing operations
- Stack traces showing threads stuck in protojson.Unmarshal or related functions
- Spike in request processing latency specifically for JSON-to-protobuf conversion operations
Detection Strategies
- Monitor application thread states for prolonged execution within protobuf JSON parsing functions
- Implement request timeout monitoring to detect endpoints that consistently fail to respond
- Deploy application performance monitoring (APM) to track JSON unmarshaling operation duration
- Analyze incoming JSON payloads for anomalous structures that deviate from expected schema
Monitoring Recommendations
- Set up alerts for CPU usage spikes correlated with protobuf JSON parsing operations
- Implement circuit breakers with timeout thresholds for JSON unmarshaling operations
- Monitor goroutine counts in Go applications to detect threads stuck in infinite loops
- Track request latency percentiles (p99, p999) to identify parsing-related slowdowns
How to Mitigate CVE-2024-24786
Immediate Actions Required
- Update the Go protobuf library (google.golang.org/protobuf) to the latest patched version
- Review all application code that uses protojson.Unmarshal with untrusted input
- Implement request timeouts for all JSON parsing operations as a defense-in-depth measure
- Consider input validation to reject malformed JSON before protobuf unmarshaling
Patch Information
The vulnerability has been addressed in the Go protobuf library. Refer to the Go Programming Language Issue for the specific code changes. Additional information is available in the Go Vulnerability Advisory GO-2024-2611.
Linux distribution users should check for updates from their respective package maintainers. Fedora users can refer to the Fedora Package Announcement for package updates. NetApp customers should review the NetApp Security Advisory ntap-20240517-0002.
Workarounds
- Implement context-based timeouts around all protojson.Unmarshal calls to prevent indefinite hangs
- Add input size limits and basic JSON validation before passing data to protobuf unmarshaling
- Use rate limiting on endpoints that accept JSON-encoded protobuf messages
- Consider deploying a web application firewall (WAF) to filter anomalous JSON payloads
# Example: Update Go protobuf dependency
go get -u google.golang.org/protobuf@latest
go mod tidy
# Verify the updated version
go list -m google.golang.org/protobuf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
