VYPR
High severityNVD Advisory· Published Jan 7, 2022· Updated Apr 21, 2025

Denial of Service of protobuf-java parsing procedure

CVE-2021-22569

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.google.protobuf:protobuf-javaMaven
< 3.16.13.16.1
google-protobufRubyGems
< 3.19.23.19.2
com.google.protobuf:protobuf-javaMaven
>= 3.18.0, < 3.18.23.18.2
com.google.protobuf:protobuf-javaMaven
>= 3.19.0, < 3.19.23.19.2
com.google.protobuf:protobuf-kotlinMaven
>= 3.18.0, < 3.18.23.18.2
com.google.protobuf:protobuf-kotlinMaven
>= 3.19.0, < 3.19.23.19.2

Affected products

374

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.