7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22569

GHSA ID

GHSA-wrvw-hg22-4m67

EPSS Score

0.64125%

CWE

CWE-696

Published

1/7/2022

Updated

1/24/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-22569

CVE-2021-22569: A potential Denial of Service issue in protobuf-java

Summary

A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.

Reporter: OSS-Fuzz

Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.

Severity

CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.

Proof of Concept

For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

Please update to the latest available versions of the following packages:

protobuf-java (3.16.1, 3.18.2, 3.19.2)
protobuf-kotlin (3.18.2, 3.19.2)
google-protobuf [JRuby gem only] (3.19.2)

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22569

GHSA ID

GHSA-wrvw-hg22-4m67

EPSS Score

0.64125%

CWE

CWE-696

Published

1/7/2022

Updated

1/24/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.protobuf:protobuf-java	maven	< 3.16.1	3.16.1
google-protobuf	rubygems	< 3.19.2	3.19.2
com.google.protobuf:protobuf-java	maven	>= 3.18.0, < 3.18.2	3.18.2
com.google.protobuf:protobuf-java	maven	>= 3.19.0, < 3.19.2	3.19.2
com.google.protobuf:protobuf-kotlin	maven	>= 3.18.0, < 3.18.2	3.18.2
com.google.protobuf:protobuf-kotlin	maven	>= 3.19.0, < 3.19.2	3.19.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how unknown fields are parsed in Java Protobuf. Key functions in the parsing pipeline (mergeFieldFrom, parseUnknownField, and DiscardUnknownFieldsParser) handle unknown field processing. These functions were likely optimized in patched versions to prevent excessive object creation and recursion. The OSS-Fuzz PoC demonstrates that interleaved unknown fields trigger the issue, implicating these core parsing mechanisms. The CWE-696 (incorrect order) suggests improper handling of parsing steps, leading to resource exhaustion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry * pot*nti*l **ni*l o* S*rvi** issu* in proto*u*-j*v* w*s *is*ov*r** in t** p*rsin* pro***ur* *or *in*ry **t*. R*port*r: [OSS-*uzz](*ttps://*it*u*.*om/*oo*l*/oss-*uzz) *****t** v*rsions: *ll v*rsions o* J*v* Proto*u*s (in*lu*in* Kotlin *

Reasoning

T** vuln*r**ility st*ms *rom *ow unknown *i*l*s *r* p*rs** in J*v* Proto*u*. K*y *un*tions in t** p*rsin* pip*lin* (m*r***i*l**rom, p*rs*Unknown*i*l*, *n* *is**r*Unknown*i*l*sP*rs*r) **n*l* unknown *i*l* pro**ssin*. T**s* *un*tions w*r* lik*ly optimi

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-22569: A potential Denial of Service issue in protobuf-java

Summary

Severity

Proof of Concept

Remediation and Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI