8000 protobuf 5.29.5 reported as vulnerable · Issue #5451 · googleapis/python-aiplatform · GitHub
[go: up one dir, main page]
Skip to content 8000
protobuf 5.29.5 reported as vulnerable #5451
New issue
New issue
Open
Open
protobuf 5.29.5 reported as vulnerable#5451
Labels
api: vertex-aiIssues related to the googleapis/python-aiplatform API.
@Arima-dei

Description

@Arima-dei
Arima-dei
opened on Jun 19, 2025

protobuf 5.29.5 reported as vulnerable

Environment details

  • OS type and version: macos 15.5
  • Python version: 3.12.2
  • pip version: 25.0.1
  • google-cloud-aiplatform version: Version: 1.71.1

Steps to reproduce

  1. pip install vertexai==1.71.1
  2. pip install google-generativeai==0.8.5
  3. pip show protobuf (it will show 5.29.5) which is vulnerable.

Description
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

however vertexai library supports only upto 5.29.5.
one of my projcet has recived vulnerability issue because of this and cannot move ahead.

https://nvd.nist.gov/vuln/detail/CVE-2025-4565
it has CVSS-B [8.2 HIGH]

let me know if this will be updated soon.
Thanks

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    api: vertex-aiIssues related to the googleapis/python-aiplatform API.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0