CVE-2022-3509
parsing issue vulnerability in protobuf-java (Maven)

parsing issue No known exploit

What is CVE-2022-3509 About?

This parsing issue in protobuf-java core and lite (versions prior to 3.21.7, 3.20.3, 3.19.6, and 3.16.3) can lead to a denial of service attack. It arises from textformat processing where inputs with multiple instances of non-repeated embedded messages with repeated or unknown fields cause long garbage collection pauses. Exploitation involves providing a specially crafted text-formatted protobuf message.

Affected Software

  • com.google.protobuf:protobuf-java
    • >3.20.0, <3.20.3
    • >3.21.0, <3.21.7
    • >3.0.0, <3.16.3
    • >3.17.0, <3.19.6
  • com.google.protobuf:protobuf-javalite
    • >3.20.0, <3.20.3
    • >3.21.0, <3.21.7
    • >3.0.0, <3.16.3

Technical Details

The vulnerability is a parsing issue in protobuf-java similar to CVE-2022-3171, specifically related to textformat processing. When the protobuf-java library processes an input message in text format that contains multiple instances of non-repeated embedded messages, and these embedded messages themselves contain repeated or unknown fields, it leads to inefficient object management. This scenario causes frequent and costly conversions between mutable and immutable object forms. These repeated conversions result in significant and prolonged garbage collection pauses within the JVM, effectively starving the application of resources and leading to a denial of service condition. The attack vector is the submission of a maliciously structured protobuf message in text format.

What is the Impact of CVE-2022-3509?

Successful exploitation may allow attackers to cause applications to become unresponsive, lead to significant performance degradation due to long garbage collection pauses, and effectively achieve a denial of service.

What is the Exploitability of CVE-2022-3509?

Exploiting this vulnerability involves crafting a specific protobuf message in text format with nested, problematic fields that trigger the inefficient object conversion. The complexity is moderate, as it requires an understanding of protobuf's text format rules and how to construct a message that induces excessive garbage collection. No authentication or elevated privileges are typically required if the application processes untrusted protobuf messages in text format. This is a remote vulnerability if the application receives protobuf messages over a network. The primary risk factor is any application using the vulnerable protobuf-java library to deserialize untrusted 'textformat' messages without proper input validation, especially those containing complex nested structures.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-3509?

Available Upgrade Options

  • com.google.protobuf:protobuf-javalite
    • >3.0.0, <3.16.3 → Upgrade to 3.16.3
  • com.google.protobuf:protobuf-javalite
    • >3.20.0, <3.20.3 → Upgrade to 3.20.3
  • com.google.protobuf:protobuf-javalite
    • >3.21.0, <3.21.7 → Upgrade to 3.21.7
  • com.google.protobuf:protobuf-java
    • >3.0.0, <3.16.3 → Upgrade to 3.16.3
  • com.google.protobuf:protobuf-java
    • >3.17.0, <3.19.6 → Upgrade to 3.19.6
  • com.google.protobuf:protobuf-java
    • >3.20.0, <3.20.3 → Upgrade to 3.20.3
  • com.google.protobuf:protobuf-java
    • >3.21.0, <3.21.7 → Upgrade to 3.21.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-3509?

Similar Vulnerabilities: CVE-2022-3510 , CVE-2022-3171 , CVE-2020-29582 , CVE-2020-29581 , CVE-2018-1000876

All Rights reserved 2025
Privacy Policy