CVE-2021-22570 – com.google.protobuf:protobuf-java

Package

Manager: maven
Name: com.google.protobuf:protobuf-java
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31874

Details

Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers ### Withdrawn Advisory This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references. ### Original Description Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

Metadata

Created: 2022-01-27T00:01:15Z
Modified: 2025-08-25T22:36:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
CWE IDs: ["CWE-476"]
Alternative ID: GHSA-77rm-9x9h-xj3g
Finding: F002
Auto approve: 1