A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
Reporter: OSS-Fuzz
Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
Please update to the latest available versions of the following packages:
{ "nvd_published_at": "2022-01-10T14:10:00Z", "github_reviewed_at": "2022-01-07T22:23:14Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-696" ] }