{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/protobuf--0.16.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["protobuf (\u003c 0.16.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","elixir","protobuf"],"_cs_type":"advisory","_cs_vendors":["elixir-protobuf"],"content_html":"\u003cp\u003eCVE-2026-54451 describes a high-severity vulnerability involving unbounded recursion depth in the \u003ccode\u003eProtobuf.Decoder\u003c/code\u003e component of the Elixir \u003ccode\u003eprotobuf\u003c/code\u003e Hex package, affecting versions \u003ccode\u003e\u0026gt;= 0.8.0\u003c/code\u003e and \u003ccode\u003e\u0026lt; 0.16.1\u003c/code\u003e. An unauthenticated attacker can exploit this flaw to launch a denial-of-service attack against any Elixir service that decodes untrusted Protobuf messages, particularly those with self-referential or cyclic message types in their schema. By sending a small, specially crafted Protobuf message (a few KB to MB) containing deeply nested fields, the attacker forces the BEAM runtime to recurse millions of times without a depth limit. This leads to severe memory exhaustion, excessive CPU consumption, and scheduler pinning, effectively rendering the victim service unresponsive or causing it to crash. The lack of a recursion-depth counter, unlike reference Protobuf implementations, makes the \u003ccode\u003eprotobuf\u003c/code\u003e library vulnerable to request-amplification DoS attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an Elixir service that utilizes the vulnerable \u003ccode\u003eprotobuf\u003c/code\u003e Hex package (versions between 0.8.0 and 0.16.1) to decode untrusted Protobuf input.\u003c/li\u003e\n\u003cli\u003eThe attacker determines or defines a self-referential Protobuf message schema (e.g., \u003ccode\u003emessage Tree { Tree child = 1; }\u003c/code\u003e) that the target application is configured to decode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Protobuf message in wire format, recursively nesting the self-referential field hundreds of thousands to millions of times.\u003c/li\u003e\n\u003cli\u003eThe crafted message is optimized to be small in overall size (e.g., a few KB to a few MB) to maximize recursion depth while minimizing bandwidth consumption for the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious message via an HTTP POST request with \u003ccode\u003eContent-Type: application/x-protobuf\u003c/code\u003e to an endpoint that processes and calls \u003ccode\u003eTree.decode/1\u003c/code\u003e on the input.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eProtobuf.Decoder.value_for_field/3\u003c/code\u003e function is invoked and recursively calls \u003ccode\u003edecode\u003c/code\u003e for each nested level without enforcing any depth limit.\u003c/li\u003e\n\u003cli\u003eEach recursive call consumes a new stack frame and allocates heap memory, leading to rapid exhaustion of process memory and significant CPU load on the BEAM runtime.\u003c/li\u003e\n\u003cli\u003eThe victim service experiences a denial of service, becoming unresponsive or crashing, particularly if multiple concurrent requests are processed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability (CVE-2026-54451) allows an unauthenticated, network-reachable attacker to perform a request-amplification denial-of-service against any Elixir service that decodes untrusted Protobuf messages containing self-referential or cyclic types. A single small, maliciously crafted request can consume seconds of CPU time and hundreds of megabytes of memory on the victim server. Just a few concurrent requests can lead to complete service unavailability or node crashes, severely impacting the reliability and accessibility of affected applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54451 immediately by updating the \u003ccode\u003eprotobuf\u003c/code\u003e Hex package to version \u003ccode\u003e0.16.1\u003c/code\u003e or higher to ensure the recursion depth limit is enforced.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs and HTTP proxy logs for POST requests containing \u003ccode\u003eContent-Type: application/x-protobuf\u003c/code\u003e with unusually large \u003ccode\u003eContent-Length\u003c/code\u003e headers, which may indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eImplement robust application-level logging to capture \u003ccode\u003eProtobuf.DecodeError\u003c/code\u003e exceptions, as these indicate attempts to trigger or successful exploitation of recursion limits.\u003c/li\u003e\n\u003cli\u003eMonitor Elixir BEAM node resources, specifically CPU utilization, memory consumption, and process stack depth, for sudden spikes or sustained high usage that could indicate a denial-of-service attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T17:45:25Z","date_published":"2026-07-15T17:45:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-protobuf-unbounded-recursion-dos/","summary":"An unauthenticated attacker can trigger a denial-of-service condition in services that decode untrusted protobuf messages using the `Protobuf.Decoder` (Hex package `protobuf`) versions between 0.8.0 and 0.16.1 by crafting deeply nested self-referential message types, leading to memory exhaustion and service crashes.","title":"Unbounded Recursion Depth in Elixir Protobuf Decoder Causes Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-protobuf-unbounded-recursion-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Protobuf (\u003c 0.16.1)","version":"https://jsonfeed.org/version/1.1"}