Incorrect Behavior Order

Summary

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. The was released for "protobuf-java" package in versions 3.16.1, 3.18.2, and 3.19.2, "protobuf-kotlin" package in 3.18.2 and 3.19.2, and "google-protobuf" RubyGems package in version 3.19.2.