Track protobuf 7.x upgrade for CVE-2026-0994 remediation

## Summary

Dependabot has identified **CVE-2026-0994** (High severity) affecting `protobuf <= 6.33.4` in two components:
- `metrics-service/uv.lock` (Alert #29)
- `agents/a2a/uv.lock` (Alert #28)

The fix is available in `protobuf 7.34.0rc1`, but **we cannot upgrade** due to upstream dependency constraints.

## Vulnerability Details

**CVE-2026-0994**: JSON recursion depth bypass in `google.protobuf.json_format.ParseDict()`

- **Type**: Denial of Service (DoS)
- **Vector**: Nested `google.protobuf.Any` messages bypass `max_recursion_depth` limit
- **Impact**: Attackers can cause `RecursionError` by supplying deeply nested JSON
- **Fix**: [PR #25239](https://github.com/protocolbuffers/protobuf/pull/25239) merged Jan 23, 2026

## Blocking Dependencies

| Package | Current Version | Constraint | Upstream Repo |
|---------|-----------------|------------|---------------|
| `opentelemetry-proto` | 1.39.1 | `>=5.0,<7.0` | [opentelemetry-python](https://github.com/open-telemetry/opentelemetry-python) |
| `googleapis-common-protos` | 1.72.0 | `>=3.20.2,<7.0.0` | [python-api-common-protos](https://github.com/googleapis/python-api-common-protos) |
| `proto-plus` | 1.27.0 | `>=3.19.0,<7.0.0` | [proto-plus-python](https://github.com/googleapis/proto-plus-python) |

All three packages explicitly require `protobuf < 7.0.0`, blocking our upgrade path.

## Risk Assessment

| Factor | Assessment |
|--------|------------|
| **Direct protobuf usage** | None - only transitive dependency |
| **Affected services** | Internal only (metrics-service, agents) |
| **Attack vector** | Requires crafted JSON with nested `Any` messages |
| **Exploitability** | Low - services don't parse untrusted protobuf JSON |

## Action Items

- [ ] Monitor upstream repos for protobuf 7.x compatibility releases
- [ ] Subscribe to relevant upstream issues/PRs:
  - [ ] opentelemetry-python protobuf 7.x support
  - [ ] googleapis protobuf 7.x support
- [ ] Upgrade when all blocking dependencies support protobuf 7.x
- [ ] Re-run `uv lock` for metrics-service and agents/a2a after upgrade
- [ ] Verify Dependabot alerts auto-close after upgrade

## Upstream Tracking Links

- **OpenTelemetry**: Search [opentelemetry-python issues](https://github.com/open-telemetry/opentelemetry-python/issues?q=protobuf+7)
- **Google APIs**: Search [python-api-common-protos issues](https://github.com/googleapis/python-api-common-protos/issues?q=protobuf+7)
- **Proto Plus**: Search [proto-plus-python issues](https://github.com/googleapis/proto-plus-python/issues?q=protobuf+7)

## References

- [CVE-2026-0994 NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-0994)
- [GitHub Issue #25070](https://github.com/protocolbuffers/protobuf/issues/25070)
- [Fix PR #25239](https://github.com/protocolbuffers/protobuf/pull/25239)
- [Dependabot Alert #28](https://github.com/jrmatherly/mcp-registry-gateway/security/dependabot/28)
- [Dependabot Alert #29](https://github.com/jrmatherly/mcp-registry-gateway/security/dependabot/29)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Track protobuf 7.x upgrade for CVE-2026-0994 remediation #1

Summary

Vulnerability Details

Blocking Dependencies

Risk Assessment

Action Items

Upstream Tracking Links

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Package	Current Version	Constraint	Upstream Repo
`opentelemetry-proto`	1.39.1	`>=5.0,<7.0`	opentelemetry-python
`googleapis-common-protos`	1.72.0	`>=3.20.2,<7.0.0`	python-api-common-protos
`proto-plus`	1.27.0	`>=3.19.0,<7.0.0`	proto-plus-python

Factor	Assessment
Direct protobuf usage	None - only transitive dependency
Affected services	Internal only (metrics-service, agents)
Attack vector	Requires crafted JSON with nested `Any` messages
Exploitability	Low - services don't parse untrusted protobuf JSON

Track protobuf 7.x upgrade for CVE-2026-0994 remediation #1

Description

Summary

Vulnerability Details

Blocking Dependencies

Risk Assessment

Action Items

Upstream Tracking Links

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions