Hey there.
This vulnerability has been raised by our own internal source composition analysis and vulnerability scanners. After risk assessment of exploitability, we have made the decision to not fix the finding immediately for the following reasons:
- a limitation in the .NET compiler means that it cannot be upgraded without an unacceptable performance impact. We have reported the issue.
- the protobuf file is both generated and consumed by our software.
- the impact of failure in our use-case is low risk
That said, we are investigating various work-arounds for the problem or replacements for Google.Protobuf but we have no ETA at this time.
In the future, please check out this guide on Responsible Vulnerability Disclsoure: