Anthropic Buffa Rust Library Vulnerability Can Trigger Denial-of-Service Attacks


A vulnerability in Anthropic’s Rust-based protobuf library buffa can let attackers trigger memory exhaustion and crash services that decode untrusted protobuf messages.

The flaw is tracked as CVE-2026-55407 and GHSA-f9qc-qg88-7pq5. According to Endor Labs, the issue affects buffa and connectrpc versions before 0.8.0.

Anthropic has already shipped fixes in version 0.8.0 of both packages. Developers using vulnerable versions should update immediately, especially if their services process protobuf data from users, clients, partners, or internet-facing APIs.

What The Buffa Vulnerability Does

Buffa is a Rust implementation of Protocol Buffers with support for editions, JSON serialization, and zero-copy message views. The buffa GitHub repository describes it as a protobuf implementation designed around Rust performance and modern protobuf features.

The vulnerability sits in the handling of unknown protobuf fields. Unknown fields exist so protobuf systems can preserve data that a receiving schema does not recognize, then re-encode it later without losing information.

That compatibility behavior created the vulnerable path. When buffa decoded certain unknown fields from attacker-controlled input, it could allocate too much memory compared with the original message size.

ItemDetails
CVECVE-2026-55407
GitHub advisoryGHSA-f9qc-qg88-7pq5
Affected packagesbuffa and connectrpc
Affected versionsVersions before 0.8.0
Fixed version0.8.0
Main impactDenial of service through memory amplification
Vendor severityModerate, CVSS 4.0 score of 6.3

How Memory Amplification Causes A DoS

The issue is not a memory corruption bug. Rust’s memory safety still helps prevent many classic crash and code execution paths, but safe code can still allocate too much memory when it trusts attacker-controlled size or structure data.

Endor Labs said its AI SAST engine first flagged a data flow where a length value from protobuf wire data reached a heap allocation. The bigger risk appeared when researchers followed the unknown-field decoding path into protobuf group handling.

In that path, a relatively small protobuf message can expand into a much larger in-memory structure. Endor Labs reported that a 64 MiB payload could drive heap usage to about 1.4 GiB, producing roughly 22 times memory amplification.

  • An attacker sends a crafted protobuf message to a vulnerable service.
  • The service decodes the message using affected buffa or connectrpc code.
  • Unknown field preservation keeps attacker-controlled unknown fields in memory.
  • The in-memory representation grows far larger than the wire payload.
  • The process can run out of memory and crash.

Why connectrpc Users Are Also Affected

The issue also affects connectrpc because it uses buffa for protobuf message handling. The connectrpc project is a Tower-based Rust implementation of the Connect protocol that serves Connect, gRPC, and gRPC-Web clients.

That makes the vulnerability relevant for services that expose RPC endpoints and decode protobuf messages from remote clients. A single exposed decode path can become a denial-of-service risk if attackers can repeatedly send crafted messages.

The risk depends on service architecture. A small internal tool with strict authentication, small request limits, and strong restart controls faces less risk than a public API with high concurrency and limited memory headroom.

Deployment typeRisk levelWhy it matters
Public gRPC or Connect APIHighAttackers may reach protobuf decode paths remotely
Authenticated partner APIMedium to highCompromised or malicious clients may still send hostile messages
Internal microservice meshMediumA compromised workload can target shared services
Offline file ingestionMedium to highLarge protobuf files can exhaust memory during processing
Trusted-only local usageLowerExposure depends on whether untrusted protobuf data is ever decoded

The Default Unknown Field Behavior Matters

Buffa preserves unknown fields for round-trip fidelity. The buffa documentation lists UnknownFields as a key type used for unknown-field preservation.

That default is useful for forward compatibility. It lets applications receive newer protobuf messages, keep fields they do not understand, and write those fields back later without stripping data.

The same feature increased the attack surface in this case. Endor Labs said any message decoded from untrusted input using generated code with preserve_unknown_fields enabled, which was the default, was affected.

What Anthropic Changed In The Fix

The fix landed in buffa and connectrpc 0.8.0. It adds a configurable per-message limit on unknown fields, with a default cap that keeps allocation overhead bounded even under hostile input.

Endor Labs said the default unknown-field count limit is one million fields, which caps allocation overhead at roughly 40 MiB per message. That makes memory use more predictable and prevents the large amplification path from growing without a practical ceiling.

The latest buffa documentation now references DecodeOptions and a default unknown field limit, showing that the library exposes controls for decoding behavior.

  • Upgrade buffa to version 0.8.0 or later.
  • Upgrade connectrpc to version 0.8.0 or later.
  • Review services that decode protobuf messages from untrusted clients.
  • Apply request size limits, concurrency limits, and rate limits at service boundaries.
  • Consider disabling unknown field preservation where applications do not need it.
  • Watch for out-of-memory restarts, crash loops, and abnormal request patterns.

Why Input Size Limits Alone May Not Be Enough

Input size limits still help, but this bug shows why they cannot serve as the only defense. A message can remain within an accepted request size while still expanding into a much larger memory footprint during decoding.

That problem matters in containerized environments. A service with a 256 MiB or 512 MiB memory limit may crash even when the network payload looks acceptable under normal API limits.

Crash loops can make the availability impact worse. If an orchestrator restarts the process and the attacker repeats the request, the service can keep failing instead of recovering cleanly.

DefenseWhat it helps withLimitations
Package updateFixes the vulnerable unknown-field allocation behaviorRequires all downstream services to rebuild and redeploy
Request size limitsBlocks unusually large protobuf payloadsDoes not fully stop memory amplification
Rate limitingReduces repeated crash attemptsDoes not prevent a single expensive decode
Memory limitsProtects the host from full exhaustionCan still kill the service process
Disable unknown fieldsRemoves the main vulnerable sink where safe to do soMay break forward-compatible round-tripping

Mitigation For Teams That Cannot Patch Immediately

The best fix is to update. If a team cannot upgrade immediately, Endor Labs recommends regenerating code with preserve_unknown_fields set to false where applications do not need unknown-field retention.

That workaround removes the main data structure that made the memory amplification path dangerous. It should still receive compatibility testing because some systems depend on preserving fields for proxying, storage, or round-trip behavior.

Teams should also restrict access to vulnerable decode endpoints while they prepare a full patch. Public endpoints, file upload paths, partner integrations, and high-volume RPC services need the fastest review.

Why The CVSS Score Needs Context

Anthropic scored the issue as Moderate with a CVSS 4.0 score of 6.3. That score reflects a specific deployment profile with supervised replicas, automatic restarts, and operational controls.

Endor Labs argued that consumers should score the risk against their own environment. A service with unauthenticated access, weak rate limiting, tight memory limits, or costly restart behavior may see a higher practical availability impact.

That distinction matters for security teams. A Moderate CVSS score can still justify urgent patching when the affected component sits on a critical production request path.

What Developers Should Check

Developers should first search dependency manifests for vulnerable buffa or connectrpc versions. The buffa project is pre-1.0, so teams should also watch for API or behavior changes when moving across minor versions.

Teams using connectrpc should rebuild generated code and redeploy all services that expose Connect, gRPC, or gRPC-Web endpoints backed by buffa-decoded messages.

After patching, operators should monitor for memory spikes and abnormal decode failures. That helps confirm that the update reached the services that actually process external protobuf traffic.

  • Check Cargo.lock for buffa and connectrpc versions below 0.8.0.
  • Upgrade dependencies and rebuild generated protobuf code where required.
  • Redeploy every service image that includes the vulnerable crates.
  • Review API gateways and service meshes for payload and rate limits.
  • Test decode paths with realistic maximum-size messages.
  • Alert on repeated out-of-memory kills and rapid container restarts.

Why This Discovery Matters For Rust Security

The vulnerability shows that memory-safe languages can still suffer denial-of-service bugs when data structure growth does not have strong limits. Safety prevents many classes of memory corruption, but it does not automatically enforce allocation budgets.

It also shows why security tooling needs data-flow analysis, not only pattern matching. Endor Labs said its engine traced attacker-controlled wire data into allocation behavior, then researchers confirmed the more serious amplification path manually.

For Rust teams, the lesson is direct: parsers, codecs, and protocol libraries should treat untrusted input as a resource-budget problem. Size limits, recursion limits, field limits, and allocation limits all matter.

Bottom Line

CVE-2026-55407 is a denial-of-service vulnerability, not a remote code execution flaw. Still, it can become serious when affected protobuf decode paths sit behind public or high-volume services.

Developers should update buffa and connectrpc to 0.8.0 or later, then review whether unknown-field preservation is necessary in each service. Operators should also confirm that memory, rate, and request limits match the real risk of protobuf decoding under hostile input.

The fix is available, and teams should treat exposed protobuf services as the priority. Services that decode untrusted messages with older buffa or connectrpc versions remain the highest-risk group.

FAQ

What is CVE-2026-55407 in Anthropic buffa?

CVE-2026-55407 is a denial-of-service vulnerability in Anthropic’s buffa Rust protobuf library. It can cause excessive memory allocation when vulnerable versions decode crafted protobuf messages with unknown fields.

Which buffa and connectrpc versions are affected?

Buffa and connectrpc versions before 0.8.0 are affected. Version 0.8.0 includes the fix for the unknown-field memory amplification issue.

Can the buffa vulnerability lead to remote code execution?

No known evidence suggests that CVE-2026-55407 enables remote code execution. The confirmed impact is denial of service through memory exhaustion.

Why can the issue be serious if it has a Moderate CVSS score?

The vendor score reflects a specific deployment profile. Services with public protobuf endpoints, weak rate limits, low memory limits, or repeated crash loops may face higher practical impact.

How can developers fix or mitigate the buffa DoS vulnerability?

Developers should upgrade buffa and connectrpc to 0.8.0 or later. If immediate patching is not possible, they should consider disabling unknown-field preservation where safe and apply strict request, rate, and memory controls.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages