Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers

GHSA-77rm-9x9h-xj3g · CVE-2021-22570 · PYSEC-2022-48

Published Jan 27, 2022 · Modified Feb 4, 2026

Description

Withdrawn Advisory

This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references.

Original Description

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Packages

Go/github.com/protocolbuffers/protobuf

Fix 0.0.0-20210218195015-ae50d9b99025, 3.15.0

Introduced 0, 0.0.0

Maven/com.google.protobuf:protobuf-java

Fix 3.15.0

Introduced 0

61 affected versions

2.0.12.0.32.1.02.2.02.3.02.4.0a2.4.12.5.02.6.02.6.13.0.03.0.0-alpha-23.0.0-alpha-33.0.0-alpha-3.13.0.0-beta-13.0.0-beta-23.0.0-beta-33.0.0-beta-43.0.23.1.0 +41 more

NuGet/Google.Protobuf

Fix 3.15.0

Introduced 0

47 affected versions

0.0.1-test13.0.03.0.0-alpha43.0.0-beta23.0.0-beta33.0.0-beta43.1.03.10.03.10.0-rc13.10.13.11.0-rc13.11.0-rc23.11.13.11.23.11.33.11.43.12.03.12.0-rc13.12.0-rc23.12.1 +27 more

Packagist/google/protobuf

Fix 3.15.0

Introduced 0

59 affected versions

v3.1.0-alpha-1v3.10.0v3.10.0RC1v3.11.0v3.11.0RC1v3.11.0RC2v3.11.1v3.11.2v3.11.3v3.11.4v3.12.0v3.12.0RC1v3.12.0RC2v3.12.1v3.12.2v3.12.4v3.13.0v3.13.0.1v3.13.0RC3v3.14.0 +39 more

PyPI/protobuf

Fix 3.15.0

Introduced 0

64 affected versions

2.0.0beta2.0.32.3.02.4.12.5.02.6.02.6.13.0.03.0.0a23.0.0a33.0.0b13.0.0b1.post13.0.0b1.post23.0.0b23.0.0b2.post13.0.0b2.post23.0.0b33.0.0b43.1.03.1.0.post1 +44 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes