Uncontrolled Recursion

CVE-2026-0994

High

8.2/10

Summary

A Denial-of-Service (DoS) vulnerability exists in "google.protobuf.json_format.ParseDict()" in Python, where the "max_recursion_depth" limit can be bypassed when parsing nested "google.protobuf.Any messages". Affected versions are through 6.33.4. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory
Issue
Pull request

Advisory Timeline

Published Jan 23, 2026

Uncontrolled Recursion

CVE-2026-0994

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS