CVE-2024-7254 reported in protobuf-java dependency

[bestbeforetoday]

What version of gRPC-Java are you using?

1.66.0.

What is your environment?

Linux and MacOS.

What did you expect to see?

No vulnerabilities detected when running OSV-Scanner and OWASP dependency-check.

What did you see instead?

com.google.protobuf:[email protected] has the following known vulnerabilities:
  GHSA-735f-pc8j-v9w8: protobuf-java has potential Denial of Service issue (https://osv.dev/GHSA-735f-pc8j-v9w8)

com.google.protobuf:protobuf-java:3.25.3 is a direct dependency of io.grpc:grpc-protobuf:1.66.0.

This vulnerability looks to be resolved in protobuf-java versions 3.25.5, 4.27.5, 4.28.2.

Steps to reproduce the bug

N/A.

[ejona86]

We will update our version in time. But you don't need us to upgrade anything. You can depend on the newer protobuf-java yourself (4.x if you are able, 3.x otherwise). That is always the fastest way to upgrade a dependency.