CVE-2026-0994

Pypi Protobuf < 6.33.5 - Denial of Service

Title source: rule

Description

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

References (1)

[Issue Tracking] https://github.com/protocolbuffers/protobuf/pull/25239

Scores

EPSS 0.0003

EPSS Percentile 6.5%

Classification

CWE

CWE-674

Status draft

Affected Products (1)

pypi/protobuf < 6.33.5PyPI

Timeline

Published Jan 23, 2026

Tracked Since Feb 18, 2026