-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.google.protobuf:protobuf-java | maven | < 3.16.3 | 3.16.3 |
| com.google.protobuf:protobuf-java | maven | >= 3.17.0, < 3.19.6 | 3.19.6 |
| com.google.protobuf:protobuf-java | maven | >= 3.20.0, < 3.20.3 | 3.20.3 |
| com.google.protobuf:protobuf-java | maven | >= 3.21.0, < 3.21.7 | 3.21.7 |
| com.google.protobuf:protobuf-javalite | maven | < 3.16.3 | 3.16.3 |
| com.google.protobuf:protobuf-javalite | maven | >= 3.17.0, < 3.19.6 | 3.19.6 |
| com.google.protobuf:protobuf-javalite | maven | >= 3.20.0, < 3.20.3 | 3.20.3 |
| com.google.protobuf:protobuf-javalite | maven | >= 3.21.0, < 3.21.7 | 3.21.7 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from inefficient handling of message builders during textformat parsing. The commit a3888f5 shows critical changes in BuilderAdapter methods (setField, setRepeatedField, addRepeatedField) where MessageLite.Builder instances were being passed around without being converted to immutable messages via buildPartial(). This caused repeated conversions between mutable/immutable states when processing non-repeated embedded messages with repeated/unknown fields. The patch explicitly converts builders to messages early in these methods, reducing GC pressure by preventing object thrashing.
Ongoing coverage of React2Shell