CVE-2022-3171

MEDIUM5.7EPSS 0.11%

protobuf-java has a potential Denial of Service issue

Published: 10/4/2022Modified: 3/13/2026

Also known as:GHSA-h4h5-3hr4-j3g2CGA-8f53-f8wm-95fh

Description

## Summary A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771) Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. ## Severity [CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication) ## Remediation and Mitigation Please update to the latest available versions of the following packages: protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

Affected packages (6)

Debian/protobuffrom 0
Maven/com.google.protobuf:protobuf-java>= 3.21.0-rc-1, < 3.21.7
Maven/com.google.protobuf:protobuf-javalite>= 3.21.0-rc-1, < 3.21.7
Maven/com.google.protobuf:protobuf-kotlin>= 3.21.0-rc-1, < 3.21.7
Maven/com.google.protobuf:protobuf-kotlin-lite>= 3.21.0-rc-1, < 3.21.7
RubyGems/google-protobuf>= 3.21.0.rc.1, < 3.21.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

Affected packages (6)

CVSS scores

References (13)