Changes announced January 23, 2025

Changes announced for Protocol Buffers on January 23, 2025.

Poison Java gencode

We are patching a change into the 25.x branch that will poison Java gencode that was created prior to the 3.21.7 release. We will then mark all versions of Java protobuf from 3.21.7 through 3.25.5 as vulnerable to the footmitten CVE.

After this change is patched in, protobuf will throw an UnsupportedOperationException from the makeExtensionsImmutable method unless you set the system property “-Dcom.google.protobuf.use_unsafe_pre22_gencode”. Using this system property can buy you some time if you can’t update your code immediately, but should be considered a short-term workaround.

Poison MSVC + Bazel

We will be dropping support for using Bazel and MSVC together in v34. As of v30, we will poison this combination with an error unless you specify the opt-out flag --define=protobuf_allow_msvc=true to silence it.

MSVC’s path length limits combined with Bazel’s sandboxing have become increasingly difficult to support in combination. Rather than randomly break users who install protobuf into a long path, we will prohibit the use of MSVC from Bazel altogether. We will continue to support MSVC with CMake, and begin supporting clang-cl with Bazel. For any feedback or discussion, see https://github.com/protocolbuffers/protobuf/issues/20085.