x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2024-2410

[GoVulnBot]

CVE-2024-2410 references github.com/protocolbuffers/protobuf, which may be a Go module.

Description:
The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed. 

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-2410
• JSON: https://github.com/CVEProject/cvelist/tree/9154b74b11b1be4db89393bdc8152d0798e6f25d/2024/2xxx/CVE-2024-2410.json
• web: https://github.com/protocolbuffers/protobuf/releases/tag/v25.0
• Imported by: https://pkg.go.dev/github.com/protocolbuffers/protobuf?tab=importedby

Cross references:

• Module github.com/protocolbuffers/protobuf appears in issue x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2021-22570 #271 NOT_GO_CODE
• Module github.com/protocolbuffers/protobuf appears in issue x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: GHSA-jwvw-v7c5-m82h #768 NOT_A_VULNERABILITY
• Module github.com/protocolbuffers/protobuf appears in issue x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2022-1941 #1016 NOT_GO_CODE
• Module github.com/protocolbuffers/protobuf appears in issue x/vulndb: potential Go vuln in github.com/protocolbuffers/protobuf: CVE-2022-3171 #1063 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/protocolbuffers/protobuf
      vulnerable_at: 5.26.1+incompatible
      packages:
        - package: protobuf
summary: CVE-2024-2410 in github.com/protocolbuffers/protobuf
cves:
    - CVE-2024-2410
references:
    - web: https://github.com/protocolbuffers/protobuf/releases/tag/v25.0
source:
    id: CVE-2024-2410

[gopherbot]

Change https://go.dev/cl/584376 mentions this issue: data/excluded: batch add 3 excluded reports