Protobuf

This hub aggregates every CVE we track for Protobuf, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Protobuf.

• CVE-2026-6409Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input7.5Apr 16, 2026
• CVE-2026-0994Denial of Service in Python Protobuf8.6Jan 23, 2026
• CVE-2025-53605The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.5.9Jul 5, 2025
• CVE-2025-4565Unbounded recursion in Python Protobuf5.3Jun 16, 2025
• CVE-2024-7254Stack overflow in Protocol Buffers Java Lite7.5Sep 19, 2024
• CVE-2024-2410Use after free in C++ protobuf7.6May 3, 2024
• CVE-2023-24535Panic when parsing invalid messages in google.golang.org/protobuf7.5Jun 8, 2023
• CVE-2022-3510Parsing issue in protobuf message-type extension7.5Nov 11, 2022
• CVE-2022-3509Parsing issue in protobuf textformat7.5Nov 1, 2022
• CVE-2022-3171Memory handling vulnerability in ProtocolBuffers Java core and lite4.3Oct 12, 2022
• CVE-2022-1941Out of Memory issue in ProtocolBuffers for cpp and python7.5Sep 22, 2022
• CVE-2021-22570Nullptr Dereference in Protobuf6.5Jan 26, 2022
• CVE-2021-22569Denial of Service of protobuf-java parsing procedure7.5Jan 7, 2022
• CVE-2021-3121An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.8.6Jan 11, 2021
• CVE-2019-15544An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.7.5Aug 26, 2019