Bump protobuf to 6.31.1+ to address CVE-2025-4565 #611
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
CVE-2025-4565 affects protobuf's Pure-Python backend when parsing deeply nested recursive structures, potentially causing RecursionError and denial of service. This update ensures the patched version is used. Changes: - Update protobuf constraint from >=5.29.5,<6.0.0 to >=6.31.1,<7.0.0 - Add regression tests for deeply nested metadata structures - Fix ruff target-version config issue (py310 instead of "8.0.0") Testing: - All 227 gRPC unit tests pass - All 418 unit tests pass - Performance benchmarks show no regression - Type checking passes with mypy - Linting passes with ruff Co-authored-by: Cursor <cursoragent@cursor.com>
jhamon
force-pushed
the
jhamon/bump-protobuf
branch
from
33e6e9c to
95ed20f
Compare
Update buf.gen.yaml to use protobuf 6.x compatible plugin versions and regenerate the gRPC Python code. This ensures the generated code is compatible with the upgraded protobuf dependency. Changes: - Update buf.gen.yaml plugin versions from v29 to v33 - Regenerate db_data_2025_10_pb2.py with protobuf 6.33.0 - Regenerate db_data_2025_10_pb2.pyi type stubs All 227 gRPC unit tests pass with the regenerated code. Co-authored-by: Cursor <cursoragent@cursor.com>
The dependency tests were configured to test with protobuf 5.29.5, causing failures now that we've upgraded to 6.31.1+. Update all three test matrix configurations (py3.10, py3.11/3.12, py3.13) to test with the new minimum protobuf version. Co-authored-by: Cursor <cursoragent@cursor.com>
googleapis-common-protos 1.66.0 has a dependency constraint of protobuf<6.0.0, which conflicts with our upgrade to protobuf 6.31.1. This was causing the dependency tests to install protobuf 5.29.6 instead of 6.31.1, leading to version mismatch errors. Upgrade to googleapis-common-protos 1.72.0 which supports protobuf<7.0.0, allowing our protobuf 6.31.1 upgrade to work. Changes: - Update googleapis-common-protos requirement from >=1.66.0 to >=1.72.0 - Update all dependency test matrices to use googleapis-common-protos 1.72.0 - Regenerate uv.lock Co-authored-by: Cursor <cursoragent@cursor.com>
The generated gRPC code was built with protobuf 6.33.0 (from buf plugin v33.0). Protobuf's version check requires runtime >= gencode, so we need to set the minimum runtime version to match. CVE-2025-4565 was patched in 6.31.1, so 6.33.0 is still safe. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| metadata = {"list": [[[[{"key": "value"}]]]]} | ||
| struct = dict_to_proto_struct(metadata) | ||
| result = _struct_to_dict(struct) | ||
| assert result is not None |
There was a problem hiding this comment.
Test masks silent data loss in nested lists
Medium Severity
The test_nested_lists_in_metadata test passes despite _struct_to_dict silently corrupting the data. The input {"list": [[[[{"key": "value"}]]]]} round-trips to {"list": [[]]} because the nested-list handler in _struct_to_dict only supports primitive types (number_value, string_value, bool_value) and silently drops list_value, struct_value, and null_value items. The assertion assert result is not None doesn't verify data integrity, giving a false sense that nested lists are correctly handled. Unlike test_mixed_nested_structures, which validates actual values, this test needs a data-integrity assertion to be a meaningful regression test.
Collaborator
Author
CI Status UpdateAll gRPC dependency tests are now passing! ✅ Fixed Issues:
Test Results:
Note on Integration Test Failures: |
jhamon
added a commit
that referenced
this pull request
Feb 11, 2026
## Summary Bumps protobuf dependency from `>=5.29.5,<6.0.0` to `>=6.31.1,<7.0.0` to address [CVE-2025-4565](https://nvd.nist.gov/vuln/detail/CVE-2025-4565). **CVE Details:** The vulnerability affects protobuf's Pure-Python backend when parsing untrusted Protocol Buffers data containing deeply nested recursive groups, recursive messages, or a series of SGROUP tags. This can cause a RecursionError leading to denial of service. **Risk Area:** Our `_struct_to_dict` function in `pinecone/grpc/utils.py` handles recursive protobuf Structs for metadata parsing, making it vulnerable to this attack vector. ## Changes - Updated protobuf constraint in `pyproject.toml` from `>=5.29.5,<6.0.0` to `>=6.31.1,<7.0.0` - Added regression tests in `tests/unit_grpc/test_deeply_nested_metadata.py` to prevent future issues - Test deeply nested dictionaries (50 levels) - Test deeply nested lists - Test mixed nested structures - Fixed ruff `target-version` configuration issue discovered during validation - Removed unused import in `scripts/count_tokens.py` ## Testing All validation tests passed successfully: - ✅ **gRPC Unit Tests**: All 227 tests passed - ✅ **Regression Tests**: All 3 new CVE tests passed (no RecursionError) - ✅ **Performance Tests**: All 29 benchmarks passed with no performance degradation - ✅ **Type Checking**: mypy validation passed on all 191 source files - ✅ **Linting**: ruff checks passed - ✅ **Full Unit Suite**: All 418 tests passed (4 skipped) ## References - [CVE-2025-4565 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-4565) - [Protobuf Fix Commit](protocolbuffers/protobuf@17838be) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Dependency upgrade to protobuf v6 plus regenerated gRPC stubs may introduce subtle runtime/type-annotation incompatibilities in protobuf/gRPC handling; new tests reduce risk but don’t fully cover all message parsing paths. > > **Overview** > Updates the gRPC dependency set to address **CVE-2025-4565** by bumping `protobuf` to `>=6.33.0,<7.0.0` (and `googleapis-common-protos` to `>=1.72.0`), and aligning CI dependency-matrix runs and `buf` codegen plugins to the newer protobuf toolchain. > > Regenerates checked-in protobuf stubs (`db_data_2025_10_pb2.py`/`.pyi`) for the new protobuf runtime and adds unit regression tests covering deeply nested dict/list metadata roundtrips via `dict_to_proto_struct` and `_struct_to_dict` to prevent RecursionError/DoS regressions. Also fixes Ruff config by setting `target-version` to `py310` and updates the lockfile accordingly. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 083cae2. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Bumps protobuf dependency from
>=5.29.5,<6.0.0to>=6.31.1,<7.0.0to address CVE-2025-4565.CVE Details: The vulnerability affects protobuf's Pure-Python backend when parsing untrusted Protocol Buffers data containing deeply nested recursive groups, recursive messages, or a series of SGROUP tags. This can cause a RecursionError leading to denial of service.
Risk Area: Our
_struct_to_dictfunction inpinecone/grpc/utils.pyhandles recursive protobuf Structs for metadata parsing, making it vulnerable to this attack vector.Changes
pyproject.tomlfrom>=5.29.5,<6.0.0to>=6.31.1,<7.0.0tests/unit_grpc/test_deeply_nested_metadata.pyto prevent future issuestarget-versionconfiguration issue discovered during validationscripts/count_tokens.pyTesting
All validation tests passed successfully:
References
Note
Medium Risk
Dependency upgrade to protobuf v6 plus regenerated gRPC stubs may introduce subtle runtime/type-annotation incompatibilities in protobuf/gRPC handling; new tests reduce risk but don’t fully cover all message parsing paths.
Overview
Updates the gRPC dependency set to address CVE-2025-4565 by bumping
protobufto>=6.33.0,<7.0.0(andgoogleapis-common-protosto>=1.72.0), and aligning CI dependency-matrix runs andbufcodegen plugins to the newer protobuf toolchain.Regenerates checked-in protobuf stubs (
db_data_2025_10_pb2.py/.pyi) for the new protobuf runtime and adds unit regression tests covering deeply nested dict/list metadata roundtrips viadict_to_proto_structand_struct_to_dictto prevent RecursionError/DoS regressions. Also fixes Ruff config by settingtarget-versiontopy310and updates the lockfile accordingly.Written by Cursor Bugbot for commit 083cae2. This will update automatically on new commits. Configure here.