GHSA-77rm-9x9h-xj3g

Source

https://github.com/advisories/GHSA-77rm-9x9h-xj3g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-77rm-9x9h-xj3g

Aliases

Related

Withdrawn

2025-08-25T22:36:48Z

Published

2022-01-27T00:01:15Z

Modified

2025-08-25T22:48:24.146902Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers

Details

Withdrawn Advisory

This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references.

Original Description

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

Database specific

{
    "nvd_published_at": "2022-01-26T14:15:00Z",
    "cwe_ids": [
        "CWE-476"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-03T22:48:51Z"
}

References

Affected packages

NuGet / Google.Protobuf

Package

Name: Google.Protobuf; View open source insights on deps.dev
Purl: pkg:nuget/Google.Protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.15.0

Affected versions

0.*

0.0.1-test1

3.*

3.0.0-alpha4

3.0.0-beta2

3.0.0-beta3

3.0.0-beta4

3.0.0

3.1.0

3.2.0-rc1

3.2.0-rc2

3.2.0

3.3.0

3.4.0

3.4.1

3.5.0

3.5.1

3.6.0

3.6.1

3.7.0

3.8.0

3.9.0-rc1

3.9.0

3.9.1

3.9.2

3.10.0-rc1

3.10.0

3.10.1

3.11.0-rc1

3.11.0-rc2

3.11.1

3.11.2

3.11.3

3.11.4

3.12.0-rc1

3.12.0-rc2

3.12.0

3.12.1

3.12.2

3.12.3

3.12.4

3.13.0-rc3

3.13.0

3.14.0-rc1

3.14.0-rc2

3.14.0-rc3

3.14.0

3.15.0-rc1

3.15.0-rc2

Packagist / google/protobuf

Package

Name: google/protobuf
Purl: pkg:composer/google/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.15.0

Affected versions

v3.*

v3.1.0-alpha-1

v3.2.0-alpha-1

v3.3.0rc1

v3.3.0

v3.3.1

v3.3.2

v3.4.0rc1

v3.4.0rc2

v3.4.0rc3

v3.4.0

v3.4.1

v3.5.0

v3.5.0.1

v3.5.1

v3.5.1.1

v3.5.2

v3.6.0rc1

v3.6.0rc2

v3.6.0

v3.6.0.1

v3.6.1

v3.6.1.1

v3.6.1.2

v3.6.1.3

v3.7.0rc1

v3.7.0rc2

v3.7.0-rc.3

v3.7.0

v3.7.1

v3.8.0RC1

v3.8.0

v3.9.0RC1

v3.9.0

v3.9.1

v3.9.2

v3.10.0RC1

v3.10.0

v3.11.0RC1

v3.11.0RC2

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.12.0RC1

v3.12.0RC2

v3.12.0

v3.12.1

v3.12.2

v3.12.4

v3.13.0RC3

v3.13.0

v3.13.0.1

v3.14.0RC1

v3.14.0RC2

v3.14.0RC3

v3.14.0

v3.15.0RC1

v3.15.0RC2

Maven / com.google.protobuf:protobuf-java

Package

Name: com.google.protobuf:protobuf-java; View open source insights on deps.dev
Purl: pkg:maven/com.google.protobuf/protobuf-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.15.0

Affected versions

2.*

2.0.1

2.0.3

2.1.0

2.2.0

2.3.0

2.4.0a

2.4.1

2.5.0

2.6.0

2.6.1

3.*

3.0.0-alpha-2

3.0.0-alpha-3

3.0.0-alpha-3.1

3.0.0-beta-1

3.0.0-beta-2

3.0.0-beta-3

3.0.0-beta-4

3.0.0

3.0.2

3.1.0

3.2.0rc2

3.2.0-rc.1

3.2.0

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

3.6.0

3.6.1

3.7.0-rc1

3.7.0

3.7.1

3.8.0-rc-1

3.8.0

3.9.0-rc-1

3.9.0

3.9.1

3.9.2

3.10.0-rc-1

3.10.0

3.11.0-rc-1

3.11.0-rc-2

3.11.0

3.11.1

3.11.3

3.11.4

3.12.0-rc-1

3.12.0-rc-2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0-rc-3

3.13.0

3.14.0-rc-1

3.14.0-rc-2

3.14.0-rc-3

3.14.0

3.15.0-rc-1

3.15.0-rc-2

Go / github.com/protocolbuffers/protobuf

Package

Name: github.com/protocolbuffers/protobuf; View open source insights on deps.dev
Purl: pkg:golang/github.com/protocolbuffers/protobuf

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20210218195015-ae50d9b99025

PyPI / protobuf

Package

Name: protobuf; View open source insights on deps.dev
Purl: pkg:pypi/protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.15.0

Affected versions

2.*

2.0.0beta

2.0.3

2.3.0

2.4.1

2.5.0

2.6.0

2.6.1

3.*

3.0.0a2

3.0.0a3

3.0.0b1

3.0.0b1.post1

3.0.0b1.post2

3.0.0b2

3.0.0b2.post1

3.0.0b2.post2

3.0.0b3

3.0.0b4

3.0.0

3.1.0

3.1.0.post1

3.2.0rc1

3.2.0rc1.post1

3.2.0rc2

3.2.0

3.3.0

3.4.0

3.5.0.post1

3.5.1

3.5.2

3.5.2.post1

3.6.0

3.6.1

3.7.0rc2

3.7.0rc3

3.7.0

3.7.1

3.8.0rc1

3.8.0

3.9.0rc1

3.9.0

3.9.1

3.9.2

3.10.0rc1

3.10.0

3.11.0rc1

3.11.0rc2

3.11.0

3.11.1

3.11.2

3.11.3

3.12.0rc1

3.12.0rc2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0rc3

3.13.0

3.14.0rc1

3.14.0rc2

3.14.0rc3

3.14.0

3.15.0rc1

3.15.0rc2

Go / github.com/protocolbuffers/protobuf

Package

Name: github.com/protocolbuffers/protobuf; View open source insights on deps.dev
Purl: pkg:golang/github.com/protocolbuffers/protobuf

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Fixed

3.15.0