Protobuf Java vulnerable to Uncontrolled Resource Consumption

GHSA-g5ww-5jh7-63cx · CVE-2022-3509

Published Dec 12, 2022 · Modified Feb 4, 2026

Description

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Packages

Maven/com.google.protobuf:protobuf-java

Fix 3.16.3, 3.19.6, 3.20.3, 3.21.7

Introduced 3.0.0, 3.17.0, 3.20.0, 3.21.0

86 affected versions

3.0.03.0.23.1.03.10.03.10.0-rc-13.11.03.11.0-rc-13.11.0-rc-23.11.13.11.33.11.43.12.03.12.0-rc-13.12.0-rc-23.12.13.12.23.12.43.13.03.13.0-rc-33.14.0 +66 more

Maven/com.google.protobuf:protobuf-javalite

Fix 3.16.3, 3.20.3, 3.21.7

Introduced 3.0.0, 3.20.0, 3.21.0

52 affected versions

3.10.03.10.0-rc-13.11.03.11.0-rc-13.11.0-rc-23.11.13.11.33.11.43.12.03.12.0-rc-13.12.0-rc-23.12.13.12.23.12.43.13.03.13.0-rc-33.14.03.14.0-rc-13.14.0-rc-23.14.0-rc-3 +32 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes