VYPR
← All advisories
High severityNVD Advisory· Published Jan 7, 2022· Updated Apr 21, 2025

Denial of Service of protobuf-java parsing procedure

CVE-2021-22569

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Protobuf-java before 3.16.1, 3.18.2, 3.19.2, 3.20.0-rc2 has a DoS vulnerability in unknown field parsing that causes long GC pauses from a small malicious payload.

Vulnerability

An issue in the parsing of com.google.protobuf.UnknownFieldSet fields allows interleaved fields to be processed out of order, creating large numbers of short-lived objects that trigger frequent, repeated garbage collection pauses in the Java runtime. The vulnerability affects all versions of Java Protobufs (including Kotlin and JRuby) prior to the fixed versions: 3.16.1, 3.18.2, 3.19.2, and the release candidate 3.20.0-rc2. The "javalite" variant typically used in Android is not affected [2][4].

Exploitation

An attacker needs only the ability to supply a crafted binary protobuf payload to a Java component that parses it. The sample proof-of-concept payload is approximately 800 KB in size. The attack does not require authentication or any special network position; it can be delivered over any protocol that transmits protobuf binary data. The malformed input triggers the out-of-order processing path, causing the parser to allocate many temporary objects and induce prolonged GC activity [4].

Impact

Successful exploitation results in a denial of service: the parser can be occupied for several minutes, causing the application to become unresponsive or incur significantly degraded performance. There is no information disclosure, privilege escalation, or remote code execution [1][4].

Mitigation

Users should upgrade to the fixed versions: 3.16.1, 3.18.2, 3.19.2, or 3.20.0-rc2 (or later). The vulnerability is rated High with a CVSS score of 7.5 [2]. Google's security bulletin lists the fix date as January 2022 [1]. No workaround is available; patching is the only mitigation. The issue was discovered via OSS-Fuzz [4].

References
  1. Security Bulletins
  2. NVD - CVE-2021-22569
  3. security - Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.google.protobuf:protobuf-javaMaven
< 3.16.13.16.1
google-protobufRubyGems
< 3.19.23.19.2
com.google.protobuf:protobuf-javaMaven
>= 3.18.0, < 3.18.23.18.2
com.google.protobuf:protobuf-javaMaven
>= 3.19.0, < 3.19.23.19.2
com.google.protobuf:protobuf-kotlinMaven
>= 3.18.0, < 3.18.23.18.2
com.google.protobuf:protobuf-kotlinMaven
>= 3.19.0, < 3.19.23.19.2

Affected products

370

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.