What is the severity of CVE-2023-24535?

CVE-2023-24535 is classified as a moderate severity vulnerability due to its potential to cause a panic in the application.

How do I fix CVE-2023-24535?

To fix CVE-2023-24535, upgrade to version 1.29.1 of the google.golang.org/protobuf package or ensure you are not using version 1.29.0.

What causes the panic in CVE-2023-24535?

The panic in CVE-2023-24535 is caused by parsing a text-format message that contains a minus sign followed by whitespace and no further input.

Which versions of the protobuf package are affected by CVE-2023-24535?

CVE-2023-24535 affects versions 1.29.0 and earlier of the google.golang.org/protobuf package.

Is CVE-2023-24535 exploitative?

CVE-2023-24535 can lead to application crashes when invalid messages are processed, making it a concern for stability but not directly exploitative.

Vulnerability/
CVE-2023-24535

high

7.5

CWE

125

14/3/2023

8/6/2023

6/1/2025

CVE-2023-24535: Panic when parsing invalid messages in google.golang.org/protobuf

First published: Tue Mar 14 2023(Updated: )

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

Credit: security@golang.org security@golang.org

Affected Software	Affected Version	How to fix
go/google.golang.org/protobuf	>=1.29.0<1.29.1	1.29.1
Protocol Buffers	=1.29.0

Remedy

https://go.dev/cl/475995

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-24535?
CVE-2023-24535 is classified as a moderate severity vulnerability due to its potential to cause a panic in the application.
How do I fix CVE-2023-24535?
To fix CVE-2023-24535, upgrade to version 1.29.1 of the google.golang.org/protobuf package or ensure you are not using version 1.29.0.
What causes the panic in CVE-2023-24535?
The panic in CVE-2023-24535 is caused by parsing a text-format message that contains a minus sign followed by whitespace and no further input.
Which versions of the protobuf package are affected by CVE-2023-24535?
CVE-2023-24535 affects versions 1.29.0 and earlier of the google.golang.org/protobuf package.
Is CVE-2023-24535 exploitative?
CVE-2023-24535 can lead to application crashes when invalid messages are processed, making it a concern for stability but not directly exploitative.

agent/type
collector/github-advisory-latest
source/GitHub
alias/GHSA-hw7c-3rfg-p46j
alias/CVE-2023-24535
agent/software-canonical-lookup
agent/references
agent/remedy
agent/severity
agent/weakness
agent/first-publish-date
agent/description
agent/author
agent/title
agent/event
agent/trending
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
collector/nvd-index
package-manager/go
vendor/protobuf
canonical/protocol buffers
version/protocol buffers/1.29.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.