From 7b729fa16c9a1ab9d7e76608561983c8bd9b362b Mon Sep 17 00:00:00 2001
From: Senthil Raja R <senthilrajasen637@gmail.com>
Date: Tue, 16 Jun 2026 10:54:44 +0530
Subject: [PATCH] Upgrade protobuf-java to 4.32.1 to fix CVE-2024-7254

This upgrades com.google.protobuf:protobuf-java from 4.29.3 to 4.32.1,
which is patched against CVE-2024-7254 (Denial of Service via infinite
recursion when parsing nested group tags with DiscardUnknownFieldsParser
or Java Protobuf Lite parser).

The affected versions are < 3.25.5, >= 4.0.0-rc1 < 4.27.5, and
>= 4.28.0-RC1 < 4.28.2. Version 4.32.1 is >= 4.28.2, so it is patched.

Fixes #4662
---
 MODULE.bazel              | 2 +-
 gradle/libs.versions.toml | 2 +-
 maven_install.json        | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/MODULE.bazel b/MODULE.bazel
index ac086a21546..1c0c3bf156e 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -139,7 +139,7 @@ maven.install(
         "com.google.googlejavaformat:google-java-format:1.33.0",
         "com.google.guava:failureaccess:1.0.1",
         "com.google.guava:guava-beta-checker:1.0",
-        "com.google.protobuf:protobuf-java:4.29.3",
+        "com.google.protobuf:protobuf-java:4.32.1",
         "com.squareup:javapoet:1.13.0",
         "com.squareup:kotlinpoet:1.11.0",
         "com.squareup:kotlinpoet-javapoet:1.11.0",
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 17c17408c4b..88801e4b87c 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -73,7 +73,7 @@ ksp-embeddable = { module = "com.google.devtools.ksp:symbol-processing-aa-embedd
 lint-api = { module = "com.android.tools.lint:lint-api", version.ref = "lint" }
 lint-checks = { module = "com.android.tools.lint:lint-checks", version.ref = "lint" }
 lint-tests = { module = "com.android.tools.lint:lint-tests", version.ref = "lint" }
-protobuf-java = { module = "com.google.protobuf:protobuf-java", version = "4.29.3" }
+protobuf-java = { module = "com.google.protobuf:protobuf-java", version = "4.32.1" }
 publishPlugin = { module = "com.vanniktech:gradle-maven-publish-plugin", version.ref = "publish" }
 robolectric = { module = "org.robolectric:robolectric", version = "4.14.1" }
 truth = { module = "com.google.truth:truth", version.ref = "truth" }
diff --git a/maven_install.json b/maven_install.json
index 3a956b57fb9..ab51c44684b 100644
--- a/maven_install.json
+++ b/maven_install.json
@@ -693,9 +693,9 @@
     },
     "com.google.protobuf:protobuf-java": {
       "shasums": {
-        "jar": "442db5991a11974d72127353be7d7e7abdf8d943d83b16668cb2e336d7392f54"
+        "jar": "8c99e4d971338bafb0b0b1d1cea9b1bbb3dc9630eb9c25109e4c7c27bca832cb"
       },
-      "version": "4.29.3"
+      "version": "4.32.1"
     },
     "com.google.protobuf:protobuf-java-util": {
       "shasums": {