VulnerableCode Package Details - pkg:composer/google/protobuf@3.11.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3y78-ax9a-17e7 Aliases: GHSA-p2gh-cfq4-4wjc	Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion ### Impact A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative `varint`s or deep recursion—can be used to crash the application, impacting service availability. ### Patches Patches have been released to 5.34.0-RC1 and 4.33.6.	4.33.6 Affected by 0 other vulnerabilities.
VCID-uc1w-7er3-x7gb Aliases: CVE-2021-22570 GHSA-77rm-9x9h-xj3g PYSEC-2022-48	Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.	3.15.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3y78-ax9a-17e7
Aliases:
GHSA-p2gh-cfq4-4wjc

Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion ### Impact A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative `varint`s or deep recursion—can be used to crash the application, impacting service availability. ### Patches Patches have been released to 5.34.0-RC1 and 4.33.6.

4.33.6
Affected by 0 other vulnerabilities.

VCID-uc1w-7er3-x7gb
Aliases:
CVE-2021-22570
GHSA-77rm-9x9h-xj3g
PYSEC-2022-48

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

3.15.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-27T15:32:15.733961+00:00	GitLab Importer	Affected by	VCID-3y78-ax9a-17e7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/google/protobuf/GHSA-p2gh-cfq4-4wjc.yml	38.4.0
2026-04-16T21:38:10.082846+00:00	GitLab Importer	Affected by	VCID-uc1w-7er3-x7gb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/google/protobuf/CVE-2021-22570.yml	38.4.0
2026-04-16T02:00:00.785001+00:00	GHSA Importer	Affected by	VCID-uc1w-7er3-x7gb	https://github.com/advisories/GHSA-77rm-9x9h-xj3g	38.4.0
2026-04-11T22:52:39.137274+00:00	GitLab Importer	Affected by	VCID-uc1w-7er3-x7gb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/google/protobuf/CVE-2021-22570.yml	38.3.0
2026-04-11T13:27:16.845804+00:00	GHSA Importer	Affected by	VCID-uc1w-7er3-x7gb	https://github.com/advisories/GHSA-77rm-9x9h-xj3g	38.3.0
2026-04-02T23:02:02.429816+00:00	GitLab Importer	Affected by	VCID-uc1w-7er3-x7gb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/google/protobuf/CVE-2021-22570.yml	38.1.0
2026-04-02T14:17:26.226087+00:00	GHSA Importer	Affected by	VCID-uc1w-7er3-x7gb	https://github.com/advisories/GHSA-77rm-9x9h-xj3g	38.1.0
2026-04-01T17:20:52.793427+00:00	GitLab Importer	Affected by	VCID-uc1w-7er3-x7gb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/google/protobuf/CVE-2021-22570.yml	38.0.0