A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
3.12.4-1ubuntu7.22.04.63.21.12-8.2ubuntu0.33.21.12-11ubuntu3.13.0.0-9.1ubuntu13.0.0-9.1ubuntu1.13.0.0-9.1ubuntu1.1+esm33.0.0-9ubuntu53.0.0-9ubuntu63.6.1.3-23.6.1.3-2ubuntu13.6.1.3-2ubuntu33.6.1.3-2ubuntu43.6.1.3-2ubuntu53.6.1.3-2ubuntu5.23.6.1.3-2ubuntu5.2+esm2Exploitability
AV:NAC:LAT:PPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:LCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L