High severity7.5NVD Advisory· Published Dec 12, 2022· Updated Jun 17, 2026
CVE-2022-3509
CVE-2022-3509
Description
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.google.protobuf:protobuf-javaMaven | >= 3.0.0, < 3.16.3 | 3.16.3 |
com.google.protobuf:protobuf-javaMaven | >= 3.17.0, < 3.19.6 | 3.19.6 |
com.google.protobuf:protobuf-javaMaven | >= 3.20.0, < 3.20.3 | 3.20.3 |
com.google.protobuf:protobuf-javaMaven | >= 3.21.0, < 3.21.7 | 3.21.7 |
com.google.protobuf:protobuf-javaliteMaven | >= 3.20.0, < 3.20.3 | 3.20.3 |
com.google.protobuf:protobuf-javaliteMaven | >= 3.21.0, < 3.21.7 | 3.21.7 |
com.google.protobuf:protobuf-javaliteMaven | >= 3.0.0, < 3.16.3 | 3.16.3 |
Affected products
167- osv-coords166 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/dottypkg:apk/chainguard/druidpkg:apk/chainguard/druid-compatpkg:apk/chainguard/emsdkpkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/spark-3.5pkg:apk/chainguard/spark-3.5.0-compatpkg:apk/chainguard/spark-3.5-scala-2.12-compatpkg:apk/chainguard/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/chainguard/spark-3.5-scala-2.13-compatpkg:apk/chainguard/spark-fips-3.5pkg:apk/chainguard/spark-fips-3.5-scala-2.12-compatpkg:apk/chainguard/spark-fips-3.5-scala-2.13-compatpkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/dottypkg:apk/wolfi/druidpkg:apk/wolfi/druid-compatpkg:apk/wolfi/spark-3.5pkg:apk/wolfi/spark-3.5-scala-2.12-compatpkg:apk/wolfi/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/wolfi/spark-3.5-scala-2.13-compatpkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:maven/com.google.protobuf/protobuf-javapkg:maven/com.google.protobuf/protobuf-javalite
< 2.6.0-r2+ 165 more
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 3.4.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.0.0-r1
- (no CPE)range: < 3.3.6-r8
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 0
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 2.6.0-r2
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 3.4.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: >= 3.0.0, < 3.16.3
- (no CPE)range: >= 3.20.0, < 3.20.3
- Google/ProtocolBuffersv5Range: 3.21.0
Patches
Vulnerability mechanics
References
6- github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-g5ww-5jh7-63cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3509ghsaADVISORY
- github.com/protocolbuffers/protobuf/blob/v2.6.1/java/core/src/main/java/com/google/protobuf/MessageReflection.javaghsaWEB
- github.com/protocolbuffers/protobuf/blob/v3.0.0/java/core/src/main/java/com/google/protobuf/MessageReflection.javaghsaWEB
- github.com/protocolbuffers/protobuf/tree/main/javaghsaPACKAGE
News mentions
0No linked articles in our index yet.