CVE-2025-53605

EUVD-2025-20099
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Debian logo
Debian Releases
Debian Product
Codename
rust-protobuf
bookworm
no-dsa
forky
3.7.2-1
fixed
sid
3.7.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-protobuf
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
ignored
questing
needs-triage
resolute
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
cargo
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
cargo-debuginfo
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
clippy
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
clippy-debuginfo
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-analyzer
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-analyzer-debuginfo
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-debugger-common
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-debuginfo
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-debugsource
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-doc
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-gdb
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-lldb
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-src
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-std-static
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-std-static-wasm32-unknown-unknown
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-std-static-wasm32-wasip1
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-toolset
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rust-toolset-srpm-macros
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rustfmt
Amazon Linux 2
0:1.86.0-1.amzn2.0.2
fixed
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
rustfmt-debuginfo
Amazon Linux 2023
0:1.88.0-1.amzn2023.0.2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kata-containers
Azure Linux 3.0
0:3.19.1.kata2-1.azl3
fixed
rust
Azure Linux 3.0
0:0.0.0.azl3
fixed
CBL-Mariner 2.0
0:1.72.0-11.cm2
fixed