CVE-2025-4565

Any project that uses Protobuf Pure-Python backendto parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUPtags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit17838beda2943d08b8a9d4df5b68f5f04f26d901
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GoogleCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
googleprotobuf-python
𝑥
< 4.25.8
googleprotobuf-python
5.26.0 ≤
𝑥
< 5.29.5
googleprotobuf-python
6.30.0 ≤
𝑥
< 6.31.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
protobuf
plucky
Fixed 3.21.12-10ubuntu0.1
released
oracular
ignored
noble
Fixed 3.21.12-8.2ubuntu0.2
released
jammy
Fixed 3.12.4-1ubuntu7.22.04.4
released
focal
Fixed 3.6.1.3-2ubuntu5.2+esm2
released
bionic
Fixed 3.0.0-9.1ubuntu1.1+esm3
released
xenial
Fixed 2.6.1-1.3ubuntu0.1~esm4
released
trusty
ignored
Common Weakness Enumeration
References
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901