Google Protobuf Javalite
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Google Protobuf Javalite.
By the Year
In 2026 there have been 0 vulnerabilities in Google Protobuf Javalite. Protobuf Javalite did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 7.50 |
| 2023 | 0 | 0.00 |
| 2022 | 3 | 7.50 |
It may take a day or so for new Protobuf Javalite vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Google Protobuf Javalite Security Vulnerabilities
Java Protobuf: StackOverflow via Untrusted Nested SGROUP Tags
CVE-2024-7254
7.5 - High
- September 19, 2024
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Memory Corruption
DDoS via protobuf-java parsing bug before 3.21.7/20.3/19.6/16.3
CVE-2022-3510
7.5 - High
- December 12, 2022
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
DoS via ProtobufJava TextFormat Parsing Pre3.21.7/3.20.3/3.19.6/3.16.3
CVE-2022-3509
7.5 - High
- December 12, 2022
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
DoS via Binary Parsing in protobuf-java core/lite < 3.21.7, 3.20.3, 3.19.6
CVE-2022-3171
7.5 - High
- October 12, 2022
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Google Protobuf Javalite or by Google? Click the Watch button to subscribe.
