High severity and reachable issue identified in your code:
Line 36 has a vulnerable usage of protobuf, introducing a high severity vulnerability.
ℹ️ Why this is reachable
A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of protobuf.
Affected versions of protobuf are vulnerable to Uncontrolled Recursion. A denial-of-service vulnerability in the Python protobuf library's JSON parser allows deeply nested google.protobuf.Any messages to bypass the configured max_recursion_depth in json_format.ParseDict. Because the internal Any-handling logic does not update the recursion counter, an attacker supplying a JSON payload with repeatedly nested Any messages can exhaust Python's recursion stack (raising RecursionError) instead of a controlled ParseError, potentially crashing or disrupting services that parse untrusted JSON.
References: GHSA, CVE
To resolve this comment:
Upgrade this dependency to at least version 5.29.6 at uv.lock.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment> for false positive/ar <comment> for acceptable risk/other <comment> for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Originally posted by @semgrep-code-snapchat[bot] in #638
Originally posted by @semgrep-code-snapchat[bot] in #638