CVE-2024-7254 vulnerability found in dependency

[RonyOCuinn]

General Troubleshooting

• I have checked for similar issues on the Issue-tracker.
• I have checked for PRs that might already address this issue.

Version of JDA

5.3.0

Expected Behaviour

IntelliJ alerts to say that CVE-2024-7254 is present in the protobuf-java library:

Dependency maven:com.google.protobuf:protobuf-java:3.25.3 is vulnerable

Upgrade to 4.28.2

CVE-2024-7254, Score: 7.5

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Read More: https://www.mend.io/vulnerability-database/CVE-2024-7254?utm_source=JetBrains

Results powered by Mend.io

Code Example for Reproduction Steps

N/A

Code for JDABuilder or DefaultShardManagerBuilder used

N/A

Exception or Error

N/A

[freya022]

Already fixed with #2760

[Andre601]

The linked PR also contains comments adressing an important question for every CVE you could encounter: Is it actually an issue in JDA?

Some CVEs may never be an issue in JDA as it will never be triggered the way it gets described. The issue here with protobuf is especially not an issue, as you apparently can run JDA without it given it's a transitive dependency and not actively used by JDA itself.

[RonyOCuinn]

Apologies, I did a ctrl + f for the CVE number in the title of open PRs, I should have done an actual search. Closing!