Seal Security

CVE-2021-22570

Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers

### Withdrawn AdvisoryThis advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references.### Original DescriptionNullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

Google.Protobuf < 3.15.0; google/protobuf < 3.15.0; com.google.protobuf:protobuf-java < 3.15.0; github.com/protocolbuffers/protobuf < 0.0.0-20210218195015-ae50d9b99025; protobuf < 3.15.0; github.com/protocolbuffers/protobuf >= 0.0.0 < 3.15.0

Severity

High

Ecosystem

PHP

Publish Date

January 26, 2022

Modified Date

August 25, 2025