Skip to content

[GHSA-7xpr-hc2w-34m9] Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service #8635

Open
tal-sealsecurity wants to merge 1 commit into
tal-sealsecurity/advisory-improvement-8635from
tal-sealsecurity-GHSA-7xpr-hc2w-34m9
Open

[GHSA-7xpr-hc2w-34m9] Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service #8635
tal-sealsecurity wants to merge 1 commit into
tal-sealsecurity/advisory-improvement-8635from
tal-sealsecurity-GHSA-7xpr-hc2w-34m9

Conversation

@tal-sealsecurity

@tal-sealsecurity tal-sealsecurity commented Jul 9, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • Description

Comments
wire-runtime-jvm is not discontinued
as seen on maven https://mvnrepository.com/artifact/com.squareup.wire/wire-runtime-jvm

why the vuln is not on wire-runtime

wire-runtime is the root module, but the vuln is on wire-runtime-jvm

@github

github commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Hi there @oldergod! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions Bot changed the base branch from main to tal-sealsecurity/advisory-improvement-8635 July 9, 2026 17:45
@oldergod

oldergod commented Jul 9, 2026

Copy link
Copy Markdown

Hi, Wire maintainer here.

I agree:

  • com.squareup.wire:wire-runtime-jvm is not discontinued. It's still published in lockstep with wire-runtime (through 6.4.5 and the 7.0.0 alphas), and wire-runtime-jvm:6.3.0 contains the fix. The advisory's current "discontinued / Patched versions: none" wording for that coordinate is wrong and should be corrected to "fixed in 6.3.0". I'll fix the repo-level advisory on our side as well.
  • The root wire-runtime jar is indeed the KMP umbrella artifact: it ships Kotlin metadata only, and Gradle's module metadata redirects JVM consumers to wire-runtime-jvm, which contains the vulnerable bytecode.

Though:

  1. Please keep the com.squareup.wire:wire-runtime entries. Even though the root artifact carries no bytecode, it is the coordinate the vast majority of users declare in their build files as Gradle resolves it to wire-runtime-jvm transparently. Removing it from the affected list would stop Dependabot and manifest-based scanners from alerting most affected projects. Listing both the root and the platform artifact is the usual practice for Kotlin Multiplatform advisories.
  2. The proposed single introduced: 0 → fixed: 6.3.0 range on wire-runtime-jvm silently un-flags 7.0.0-alpha01 and 7.0.0-alpha02, which are vulnerable (fixed in 7.0.0-alpha03, see Add negative-length check in skipGroup square/wire#3595). Those alpha versions exist on Maven Central for wire-runtime-jvm too, so the alpha range needs to be preserved.
  3. The edited description leaves some inconsistent text behind: it still references "the discontinued status of com.squareup.wire:wire-runtime-jvm", contains an orphaned fragment ("fixed in version 6.3.0."), and keeps the "Wire 7 alpha releases" section whose version range was removed.

Finally, I'd be happy with

  • com.squareup.wire:wire-runtime: 0 → fixed 6.3.0 and 7.0.0-alpha01 → fixed 7.0.0-alpha03 (unchanged from today)
  • com.squareup.wire:wire-runtime-jvm: same two ranges, replacing the current <= 5.3.3 / no-patch entry
  • Description updated to drop the "discontinued legacy artifact" claims and state both coordinates are fixed in 6.3.0

Happy to have the curation team apply it that way, or I can update the source advisory on square/wire and let it propagate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants