Security: Update protobuf when CVE-2026-0994 fix is released

## Summary

CVE-2026-0994 affects protobuf versions ≤ 6.33.4. Currently on 6.33.4 (latest stable).

## Vulnerability Details

- **CVE:** [CVE-2026-0994](https://nvd.nist.gov/vuln/detail/CVE-2026-0994)
- **Severity:** High (CVSS 8.2)
- **Type:** Denial of Service (DoS) via uncontrolled recursion
- **Affected:** `google.protobuf.json_format.ParseDict()` with nested `Any` messages

## Current Status

- ✅ Updated to protobuf 6.33.4 (latest stable)
- ⏳ Awaiting stable fix from upstream
- 🔄 Pre-release 7.34.0rc1 available but not compatible with all dependencies

## Action Required

When protobuf releases a stable version with the fix:

```bash
uv lock --upgrade-package protobuf
uv sync
```

## References

- [GitHub Advisory GHSA-7gcm-g887-7qv7](https://github.com/advisories/GHSA-7gcm-g887-7qv7)
- [protobuf Issue #25070](https://github.com/protocolbuffers/protobuf/issues/25070)
- [protobuf PR #25239](https://github.com/protocolbuffers/protobuf/pull/25239)
- [protobuf Releases](https://github.com/protocolbuffers/protobuf/releases)

## Mitigation (current)

Until patched:
- Input validation on JSON payload depth before parsing
- Runtime safeguards limiting Python interpreter recursion depth

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Update protobuf when CVE-2026-0994 fix is released #21

Summary

Vulnerability Details

Current Status

Action Required

References

Mitigation (current)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Update protobuf when CVE-2026-0994 fix is released #21

Description

Summary

Vulnerability Details

Current Status

Action Required

References

Mitigation (current)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions