Anthropic Buffa Rust Library Vulnerability Can Trigger Denial-of-Service Attacks
A vulnerability in Anthropic’s Rust-based protobuf library buffa can let attackers trigger memory exhaustion and crash services that decode untrusted protobuf messages.
The flaw is tracked as CVE-2026-55407 and GHSA-f9qc-qg88-7pq5. According to Endor Labs, the issue affects buffa and connectrpc versions before 0.8.0.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Anthropic has already shipped fixes in version 0.8.0 of both packages. Developers using vulnerable versions should update immediately, especially if their services process protobuf data from users, clients, partners, or internet-facing APIs.
What The Buffa Vulnerability Does
Buffa is a Rust implementation of Protocol Buffers with support for editions, JSON serialization, and zero-copy message views. The buffa GitHub repository describes it as a protobuf implementation designed around Rust performance and modern protobuf features.
The vulnerability sits in the handling of unknown protobuf fields. Unknown fields exist so protobuf systems can preserve data that a receiving schema does not recognize, then re-encode it later without losing information.
That compatibility behavior created the vulnerable path. When buffa decoded certain unknown fields from attacker-controlled input, it could allocate too much memory compared with the original message size.
| Item | Details |
|---|---|
| CVE | CVE-2026-55407 |
| GitHub advisory | GHSA-f9qc-qg88-7pq5 |
| Affected packages | buffa and connectrpc |
| Affected versions | Versions before 0.8.0 |
| Fixed version | 0.8.0 |
| Main impact | Denial of service through memory amplification |
| Vendor severity | Moderate, CVSS 4.0 score of 6.3 |
How Memory Amplification Causes A DoS
The issue is not a memory corruption bug. Rust’s memory safety still helps prevent many classic crash and code execution paths, but safe code can still allocate too much memory when it trusts attacker-controlled size or structure data.
Endor Labs said its AI SAST engine first flagged a data flow where a length value from protobuf wire data reached a heap allocation. The bigger risk appeared when researchers followed the unknown-field decoding path into protobuf group handling.
In that path, a relatively small protobuf message can expand into a much larger in-memory structure. Endor Labs reported that a 64 MiB payload could drive heap usage to about 1.4 GiB, producing roughly 22 times memory amplification.
- An attacker sends a crafted protobuf message to a vulnerable service.
- The service decodes the message using affected buffa or connectrpc code.
- Unknown field preservation keeps attacker-controlled unknown fields in memory.
- The in-memory representation grows far larger than the wire payload.
- The process can run out of memory and crash.
Why connectrpc Users Are Also Affected
The issue also affects connectrpc because it uses buffa for protobuf message handling. The connectrpc project is a Tower-based Rust implementation of the Connect protocol that serves Connect, gRPC, and gRPC-Web clients.
That makes the vulnerability relevant for services that expose RPC endpoints and decode protobuf messages from remote clients. A single exposed decode path can become a denial-of-service risk if attackers can repeatedly send crafted messages.
The risk depends on service architecture. A small internal tool with strict authentication, small request limits, and strong restart controls faces less risk than a public API with high concurrency and limited memory headroom.
| Deployment type | Risk level | Why it matters |
|---|---|---|
| Public gRPC or Connect API | High | Attackers may reach protobuf decode paths remotely |
| Authenticated partner API | Medium to high | Compromised or malicious clients may still send hostile messages |
| Internal microservice mesh | Medium | A compromised workload can target shared services |
| Offline file ingestion | Medium to high | Large protobuf files can exhaust memory during processing |
| Trusted-only local usage | Lower | Exposure depends on whether untrusted protobuf data is ever decoded |
The Default Unknown Field Behavior Matters
Buffa preserves unknown fields for round-trip fidelity. The buffa documentation lists UnknownFields as a key type used for unknown-field preservation.
That default is useful for forward compatibility. It lets applications receive newer protobuf messages, keep fields they do not understand, and write those fields back later without stripping data.
The same feature increased the attack surface in this case. Endor Labs said any message decoded from untrusted input using generated code with preserve_unknown_fields enabled, which was the default, was affected.
What Anthropic Changed In The Fix
The fix landed in buffa and connectrpc 0.8.0. It adds a configurable per-message limit on unknown fields, with a default cap that keeps allocation overhead bounded even under hostile input.
Endor Labs said the default unknown-field count limit is one million fields, which caps allocation overhead at roughly 40 MiB per message. That makes memory use more predictable and prevents the large amplification path from growing without a practical ceiling.
The latest buffa documentation now references DecodeOptions and a default unknown field limit, showing that the library exposes controls for decoding behavior.
- Upgrade buffa to version 0.8.0 or later.
- Upgrade connectrpc to version 0.8.0 or later.
- Review services that decode protobuf messages from untrusted clients.
- Apply request size limits, concurrency limits, and rate limits at service boundaries.
- Consider disabling unknown field preservation where applications do not need it.
- Watch for out-of-memory restarts, crash loops, and abnormal request patterns.
Why Input Size Limits Alone May Not Be Enough
Input size limits still help, but this bug shows why they cannot serve as the only defense. A message can remain within an accepted request size while still expanding into a much larger memory footprint during decoding.
That problem matters in containerized environments. A service with a 256 MiB or 512 MiB memory limit may crash even when the network payload looks acceptable under normal API limits.
Crash loops can make the availability impact worse. If an orchestrator restarts the process and the attacker repeats the request, the service can keep failing instead of recovering cleanly.
| Defense | What it helps with | Limitations |
|---|---|---|
| Package update | Fixes the vulnerable unknown-field allocation behavior | Requires all downstream services to rebuild and redeploy |
| Request size limits | Blocks unusually large protobuf payloads | Does not fully stop memory amplification |
| Rate limiting | Reduces repeated crash attempts | Does not prevent a single expensive decode |
| Memory limits | Protects the host from full exhaustion | Can still kill the service process |
| Disable unknown fields | Removes the main vulnerable sink where safe to do so | May break forward-compatible round-tripping |
Mitigation For Teams That Cannot Patch Immediately
The best fix is to update. If a team cannot upgrade immediately, Endor Labs recommends regenerating code with preserve_unknown_fields set to false where applications do not need unknown-field retention.
That workaround removes the main data structure that made the memory amplification path dangerous. It should still receive compatibility testing because some systems depend on preserving fields for proxying, storage, or round-trip behavior.
Teams should also restrict access to vulnerable decode endpoints while they prepare a full patch. Public endpoints, file upload paths, partner integrations, and high-volume RPC services need the fastest review.
Why The CVSS Score Needs Context
Anthropic scored the issue as Moderate with a CVSS 4.0 score of 6.3. That score reflects a specific deployment profile with supervised replicas, automatic restarts, and operational controls.
Endor Labs argued that consumers should score the risk against their own environment. A service with unauthenticated access, weak rate limiting, tight memory limits, or costly restart behavior may see a higher practical availability impact.
That distinction matters for security teams. A Moderate CVSS score can still justify urgent patching when the affected component sits on a critical production request path.
What Developers Should Check
Developers should first search dependency manifests for vulnerable buffa or connectrpc versions. The buffa project is pre-1.0, so teams should also watch for API or behavior changes when moving across minor versions.
Teams using connectrpc should rebuild generated code and redeploy all services that expose Connect, gRPC, or gRPC-Web endpoints backed by buffa-decoded messages.
After patching, operators should monitor for memory spikes and abnormal decode failures. That helps confirm that the update reached the services that actually process external protobuf traffic.
- Check Cargo.lock for buffa and connectrpc versions below 0.8.0.
- Upgrade dependencies and rebuild generated protobuf code where required.
- Redeploy every service image that includes the vulnerable crates.
- Review API gateways and service meshes for payload and rate limits.
- Test decode paths with realistic maximum-size messages.
- Alert on repeated out-of-memory kills and rapid container restarts.
Why This Discovery Matters For Rust Security
The vulnerability shows that memory-safe languages can still suffer denial-of-service bugs when data structure growth does not have strong limits. Safety prevents many classes of memory corruption, but it does not automatically enforce allocation budgets.
It also shows why security tooling needs data-flow analysis, not only pattern matching. Endor Labs said its engine traced attacker-controlled wire data into allocation behavior, then researchers confirmed the more serious amplification path manually.
For Rust teams, the lesson is direct: parsers, codecs, and protocol libraries should treat untrusted input as a resource-budget problem. Size limits, recursion limits, field limits, and allocation limits all matter.
Bottom Line
CVE-2026-55407 is a denial-of-service vulnerability, not a remote code execution flaw. Still, it can become serious when affected protobuf decode paths sit behind public or high-volume services.
Developers should update buffa and connectrpc to 0.8.0 or later, then review whether unknown-field preservation is necessary in each service. Operators should also confirm that memory, rate, and request limits match the real risk of protobuf decoding under hostile input.
The fix is available, and teams should treat exposed protobuf services as the priority. Services that decode untrusted messages with older buffa or connectrpc versions remain the highest-risk group.
FAQ
CVE-2026-55407 is a denial-of-service vulnerability in Anthropic’s buffa Rust protobuf library. It can cause excessive memory allocation when vulnerable versions decode crafted protobuf messages with unknown fields.
Buffa and connectrpc versions before 0.8.0 are affected. Version 0.8.0 includes the fix for the unknown-field memory amplification issue.
No known evidence suggests that CVE-2026-55407 enables remote code execution. The confirmed impact is denial of service through memory exhaustion.
The vendor score reflects a specific deployment profile. Services with public protobuf endpoints, weak rate limits, low memory limits, or repeated crash loops may face higher practical impact.
Developers should upgrade buffa and connectrpc to 0.8.0 or later. If immediate patching is not possible, they should consider disabling unknown-field preservation where safe and apply strict request, rate, and memory controls.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages