CVE-2021-22569 HIGH

CVE-2021-22569: Denial of Service of protobuf-java parsing procedure

Vendor Google Llc

Product protobuf-java

Weakness CWE-696

Published January 7, 2022

Last update April 21, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Key dates

Disclosure timeline

January 7, 2022 CVE published

April 21, 2025 Record updated

Identifiers

CVE CVE-2021-22569

CWE CWE-696

CVSS 7.5 / HIGH

Affected versions

Vendor Google Llc

Product protobuf-java

Affected ≥ unspecified and < 3.16.1

Vendor Google Llc

Product protobuf-java

Affected ≥ unspecified and < 3.18.2

Vendor Google Llc

Product protobuf-java

Affected ≥ unspecified and < 3.19.2

Vendor Google Llc

Product protobuf-kotlin

Affected ≥ unspecified and < 3.18.2

Vendor Google Llc

Product protobuf-kotlin

Affected ≥ unspecified and < 3.19.2

Vendor Google Llc

Product google-protobuf [JRuby Gem]

Affected ≥ unspecified and < 3.19.2