Skip to main content

Incorrect Behavior Order


Severity Medium
Score 5.5/10


An issue in protobuf-java allowed the interleaving of fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. The was released for "protobuf-java" package in versions 3.16.1, 3.18.2, and 3.19.2, "protobuf-kotlin" package in 3.18.2 and 3.19.2, and "google-protobuf" RubyGems package in version 3.19.2.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-696 - Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

Advisory Timeline

  • Published