Releases94
Frequency1 month 1 week
Last Release
Protocol Buffers for JavaScript

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
>= 3.21.0, < 3.21.7, >= 3.20.0, < 3.20.3, >= 3.17.0, < 3.19.6, < 3.16.34.3 MEDIUM

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

< 3.19.27.5 HIGH4.3 MEDIUM

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.