CVE-2024-7254

CVE-2024-7254 describes a stack overflow DoS in parsers when handling untrusted Protocol Buffers data with deeply nested SGROUP/group structures. The root cause is unbounded recursion when parsing unknown fields (DiscardUnknownFieldsParser) or Java Protobuf Lite against nested groups or map field...

CVE-2022-3171

CVE-2022-3171 describes a parsing issue in protobuf-java core and lite where inputs containing multiple non-repeated embedded messages with repeated or unknown fields can flip objects between mutable and immutable forms, causing long garbage-collection pauses and DoS. Affected versions are protob...

CVE-2021-22569

CVE-2021-22569 concerns protobuf-java: an issue allowing interleaving of UnknownFieldSet fields that can cause the parser to linger due to many short-lived objects, potentially enabling DoS-like pauses. Connected sources show this vulnerability in multiple ecosystems (e.g., Debian protobuf packag...

CVE-2022-3509

CVE-2022-3509 concerns a parsing issue in protobuf-java (core and lite) textformat that, on inputs with multiple non-repeated embedded messages and repeated/unknown fields, can cause objects to flip between mutable/immutable forms and trigger long GC pauses, enabling a denial-of-service condition...

CVE-2022-3510

CVE-2022-3510 summary and remediation (connected sources) : A parsing issue in protobuf-java core and lite triggers a denial-of-service when inputs contain multiple non-repeated embedded messages with repeated/unknown fields, causing objects to flip between mutable and immutable forms and potenti...