Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. com.google.protobuf/protobuf-java
  4. ›
  5. CVE-2021-22570

CVE-2021-22570: Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers

January 27, 2022 (updated August 25, 2025)

Withdrawn Advisory

This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references.

Original Description

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file’s name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

References

  • github.com/advisories/GHSA-77rm-9x9h-xj3g
  • github.com/protocolbuffers/protobuf
  • github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
  • github.com/pypa/advisory-database/tree/main/vulns/protobuf/PYSEC-2022-48.yaml
  • lists.debian.org/debian-lts-announce/2023/04/msg00019.html
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE
  • lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP
  • nvd.nist.gov/vuln/detail/CVE-2021-22570
  • security.netapp.com/advisory/ntap-20220429-0005
  • www.oracle.com/security-alerts/cpuapr2022.html

Code Behaviors & Features

Detect and mitigate CVE-2021-22570 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 3.15.0

Fixed versions

  • 3.15.0

Solution

Upgrade to version 3.15.0 or above.

Impact 5.5 MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-476: NULL Pointer Dereference

Source file

maven/com.google.protobuf/protobuf-java/CVE-2021-22570.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 27 Aug 2025 12:18:32 +0000.