CVE-2024-7254 – Stack overflow in Protocol Buffers parsing

Severity: High2025-12-19

Security Advisories

Abstract

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

The Oxygen products incorporate Protocol Buffers (protobuf-java) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderHighOxygen Content Fusion 7.1 build 2024100818
Oxygen XML Web Author v26.1.1 and olderHighOxygen XML Web Author 27.0.0 build 2024112223

Mitigation

None

Detail

CVE-2024-7254

Severity: High

CVSS Score: 7.5

Parsing untrusted Protocol Buffers data that contains deeply nested groups (SGROUP tags) can trigger unbounded recursion in certain parsing paths (including unknown-field handling, Java Protobuf Lite, and map fields). An attacker can exploit this to exceed stack limits and cause a stack overflow, leading to a denial of service (process crash). Remediation is available by updating to a non-vulnerable protobuf-java version.

We assessed exposure across our products that embed this library. We updated the bundled protobuf-java to a non-vulnerable version in supported fixed releases.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor