CVE-2025-4565Uncontrolled Recursion in Python-protobuf

CWE-674Uncontrolled Recursion11 documents7 sources
Severity
8.2HIGHNVD
OSV8.7
EPSS
0.0%
top 96.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
Protocolbuffers Python-protobufGoogle ProtobufGoogle Protobuf-python+14 more
Timeline
PublishedJun 16
Latest updateSep 2

Description

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages19 packages

CVEListV5protocolbuffers/python-protobuf< 4.25.8+2
NVDgoogle/protobuf-python5.26.05.29.5+2
PyPIgoogle/protobuf5.26.0rc15.29.5+2

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
protobuf vulnerabilities2025-09-02
OSV
protobuf vulnerabilities2025-07-09
OSV
protobuf-python has a potential Denial of Service issue2025-06-16
OSV
CVE-2025-4565: Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recurs2025-06-16
GHSA
protobuf-python has a potential Denial of Service issue2025-06-16

📋Vendor Advisories

5
Ubuntu
Protocol Buffers vulnerabilities2025-09-02
Ubuntu
Protocol Buffers vulnerabilities2025-07-09
Red Hat
python-protobuf: Unbounded recursion in Python Protobuf2025-06-16
Microsoft
Unbounded recursion in Python Protobuf2025-06-10
Debian
CVE-2025-4565: protobuf - Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol B...2025