chore(deps): Update dependency protobuf [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
protobuf	==5.28.3 -> ==5.29.5
protobuf	==6.30.0 -> ==6.31.1
protobuf	==5.27.2 -> ==5.29.5

GitHub Vulnerability Alerts

CVE-2025-4565

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[email protected]

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

• protobuf-python(4.25.8, 5.29.5, 6.31.1)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the protobuf dependency across several project examples to patch a critical security vulnerability, CVE-2025-4565. The vulnerability, which affects the pure-Python implementation of Protobuf, could lead to a Denial of Service by exploiting unbounded recursion when processing maliciously crafted Protocol Buffers data. The update ensures that the project components are protected against this potential attack vector.

Highlights

• Security Update: This pull request addresses CVE-2025-4565, a Denial of Service vulnerability found in the pure-Python backend of the protobuf library.
• Dependency Upgrade: The protobuf dependency has been updated across various requirements.txt files to versions 5.29.5 and 6.31.1.
• Vulnerability Details: The vulnerability could be exploited by parsing untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages, or SGROUP tags, leading to unbounded recursion and a potential Denial of Service.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly updates the protobuf dependency across multiple requirements.txt files to address the security vulnerability CVE-2025-4565. The version bumps to 5.29.5 and 6.31.1 are appropriate remediations.

However, there are inconsistencies in how the updates have been applied. In some cases, the source files for dependency management (like requirements.in or uv.lock) have not been updated along with the generated requirements.txt files. This could lead to the security patch being accidentally reverted in the future. I've added specific comments on the affected files with suggestions on how to resolve this.

[gemini-code-assist]

While updating protobuf to 5.29.5 is correct for patching the security vulnerability, the source file examples/high-throughput-compute-standalone/american-option/requirements.in still specifies protobuf==5.27.2. Since this requirements.txt file is auto-generated from requirements.in (as noted in the file header), this change will be overwritten the next time dependencies are compiled. To fix this permanently, requirements.in should be updated to protobuf==5.29.5 and this requirements.txt file should be regenerated.

[gemini-code-assist]

While updating protobuf to 5.29.5 here is correct for patching the security vulnerability, the lock file examples/high-throughput-compute-standalone/ui/uv.lock still specifies protobuf==5.28.3. If requirements.txt is generated from uv.lock, this change may be overwritten. To ensure consistency and make the fix permanent, please update the uv.lock file (e.g., by running uv pip compile pyproject.toml --upgrade-package protobuf) and then regenerate this requirements.txt file from the updated lock file.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun