CVE-2022-3510 Overview
CVE-2022-3510 is a denial of service vulnerability affecting Google Protocol Buffers (protobuf) Java implementations. The vulnerability exists in both protobuf-java core and protobuf-javalite libraries, where a parsing issue with Message-Type Extensions can lead to severe application availability impacts. This vulnerability is similar to CVE-2022-3171 but specifically targets the Message-Type Extensions parsing mechanism.
The flaw occurs when processing inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields. This causes objects to be converted back-and-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses that can effectively render an application unresponsive.
Critical Impact
Applications using vulnerable protobuf-java versions can be rendered unavailable through specially crafted inputs that trigger excessive garbage collection, causing denial of service conditions in production environments.
Affected Products
- Google protobuf-java versions prior to 3.21.7, 3.20.3, 3.19.6, and 3.16.3
- Google protobuf-javalite versions prior to 3.21.7, 3.20.3, 3.19.6, and 3.16.3
Discovery Timeline
- 2022-12-12 - CVE-2022-3510 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2022-3510
Vulnerability Analysis
This denial of service vulnerability stems from inefficient handling of Message-Type Extensions during protocol buffer parsing operations. When the parser encounters multiple instances of non-repeated embedded messages containing repeated or unknown fields, it triggers a pathological pattern of object state transitions. The Java runtime continuously converts message objects between their mutable (builder) and immutable (built) states, creating significant memory allocation and deallocation pressure.
The vulnerability is particularly concerning because Protocol Buffers are widely used in microservices architectures, gRPC communications, and data serialization across distributed systems. An attacker who can send crafted protobuf messages to an application endpoint could exploit this parsing behavior to cause extended garbage collection pauses, effectively creating a denial of service condition without requiring authentication or special privileges.
Root Cause
The root cause lies in the message-type extension merging logic. Prior to the fix, extensions would build up immutable instances before merging them, which proved inefficient when processing messages with specific field patterns. The parsing constructor approach accumulated objects that needed to be converted between states, triggering excessive garbage collection activity. The fix refactors this behavior to merge from wire-format directly into mutable messages, eliminating the unnecessary object creation and state transitions.
Attack Vector
The attack vector is network-based, requiring an attacker to send specially crafted Protocol Buffer messages to a vulnerable application. The attack does not require user interaction or authentication. An attacker needs to:
- Identify an endpoint accepting protobuf-encoded messages
- Craft a message containing multiple instances of non-repeated embedded messages
- Include repeated or unknown fields within these embedded messages
- Send the malicious payload to trigger the mutable/immutable conversion cycle
The security patch addresses this by changing how message-type extensions are processed:
* Optimized Java proto serialization gencode for protos having many extension ranges with few fields in between.
* More thoroughly annotate public generated code in Java lite protocol buffers.
* Fixed Bug in proto3 java lite repeated enum fields. Failed to call copyOnWrite before modifying previously built message. Causes modification to already "built" messages that should be immutable.
- * Refactoring java full runtime to reuse sub-message builders and prepare to migrate parsing logic from parse constructor to builder.
* Fix Java reflection serialization of empty packed fields.
+ * Refactoring java full runtime to reuse sub-message builders and prepare to
+ migrate parsing logic from parse constructor to builder.
+ * Move proto wireformat parsing functionality from the private "parsing
+ constructor" to the Builder class.
+ * Change the Lite runtime to prefer merging from the wireformat into mutable
+ messages rather than building up a new immutable object before merging. This
+ way results in fewer allocations and copy operations.
+ * Make message-type extensions merge from wire-format instead of building up instances and merging afterwards. This has much better performance.
Python
* Changes ordering of printed fields in .pyi files from lexicographic to the same ordering found in the proto descriptor.
Source: GitHub Protobuf Commit
Detection Methods for CVE-2022-3510
Indicators of Compromise
- Unusual garbage collection activity with extended pause times in Java applications processing protobuf messages
- Memory utilization spikes correlating with incoming protobuf message processing
- Application response time degradation or timeouts in services using protobuf deserialization
- JVM heap memory patterns showing rapid object allocation and deallocation cycles
Detection Strategies
- Monitor JVM garbage collection metrics for abnormal pause durations exceeding baseline thresholds
- Implement application performance monitoring (APM) to detect latency anomalies in protobuf parsing operations
- Use dependency scanning tools to identify vulnerable protobuf-java or protobuf-javalite library versions in your software bill of materials (SBOM)
- Configure alerting on memory exhaustion events in services that process external protobuf inputs
Monitoring Recommendations
- Enable verbose GC logging (-Xlog:gc* for Java 11+) to capture detailed garbage collection behavior
- Set up heap dump triggers for extended GC pauses to enable post-incident analysis
- Implement rate limiting on endpoints accepting protobuf-encoded payloads to mitigate volumetric attacks
- Deploy network traffic analysis to identify unusual patterns in protobuf message sizes or frequencies
How to Mitigate CVE-2022-3510
Immediate Actions Required
- Upgrade protobuf-java to version 3.21.7, 3.20.3, 3.19.6, or 3.16.3 or later depending on your version branch
- Upgrade protobuf-javalite to the corresponding patched versions
- Audit all applications and services using Protocol Buffers for vulnerable library versions
- Prioritize patching for internet-facing services and gRPC endpoints
Patch Information
Google has released security patches addressing this vulnerability across multiple version branches. The fix refactors the Java runtime to merge from wire-format directly into mutable messages rather than building up immutable instances before merging, significantly improving performance and eliminating the denial of service condition.
The security fix is available in commit db7c17803320525722f45c1d26fc08bc41d1bf48. Refer to the GitHub Protobuf Commit for complete patch details.
Workarounds
- Implement input validation to reject protobuf messages exceeding expected complexity or size thresholds
- Deploy application-level rate limiting for endpoints processing protobuf data
- Configure JVM parameters to limit maximum GC pause times and enable concurrent garbage collection
- Consider network segmentation to restrict access to vulnerable services until patching is complete
# Maven dependency update example
# Update pom.xml to use patched protobuf-java version
# For 3.21.x branch:
# <dependency>
# <groupId>com.google.protobuf</groupId>
# <artifactId>protobuf-java</artifactId>
# <version>3.21.7</version>
# </dependency>
# Gradle dependency update example
# implementation 'com.google.protobuf:protobuf-java:3.21.7'
# Verify installed version
mvn dependency:tree | grep protobuf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
