protobufVersion = '3.19.1' in build.gradle. That version is affected by CVE-2024-7254 (plus the older 2022-3171/3509/3510 DoS issues). The 2024 one is unbounded recursion while parsing untrusted protobuf with deeply-nested groups, which ends in a StackOverflowError.
The reason it matters here specifically: every inbound P2P envelope is decoded with this library right at the top of Connection's read loop (NetworkEnvelope.parseDelimitedFrom(...)), i.e. on bytes from any peer, before any of the size/throttle/validation checks. So a malformed message can blow up the parse rather than getting rejected.
Fix is just a version bump:
protobuf-java -> 3.25.5 (last 3.x with the fix) or 4.27.5+/4.28.2+.- Checksums are already pinned via
verification-metadata.xml, so it's a metadata refresh too.
While in there it'd be worth setting an explicit CodedInputStream size + recursion limit before parsing as defence in depth, and adding an osv-scanner/Dependabot check so dependency CVEs don't sit unnoticed. I can open the PR for the bump + metadata if helpful.
protobufVersion = '3.19.1'in build.gradle. That version is affected by CVE-2024-7254 (plus the older 2022-3171/3509/3510 DoS issues). The 2024 one is unbounded recursion while parsing untrusted protobuf with deeply-nested groups, which ends in a StackOverflowError.The reason it matters here specifically: every inbound P2P envelope is decoded with this library right at the top of
Connection's read loop (NetworkEnvelope.parseDelimitedFrom(...)), i.e. on bytes from any peer, before any of the size/throttle/validation checks. So a malformed message can blow up the parse rather than getting rejected.Fix is just a version bump:
protobuf-java-> 3.25.5 (last 3.x with the fix) or 4.27.5+/4.28.2+.verification-metadata.xml, so it's a metadata refresh too.While in there it'd be worth setting an explicit
CodedInputStreamsize + recursion limit before parsing as defence in depth, and adding an osv-scanner/Dependabot check so dependency CVEs don't sit unnoticed. I can open the PR for the bump + metadata if helpful.