CVE-2025-4565

EUVD-2025-18401
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
googleprotobuf-python
𝑥
< 4.25.8
googleprotobuf-python
5.26.0 ≤
𝑥
< 5.29.5
googleprotobuf-python
6.30.0 ≤
𝑥
< 6.31.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
protobuf
bionic
Fixed 3.0.0-9.1ubuntu1.1+esm3
released
focal
Fixed 3.6.1.3-2ubuntu5.2+esm2
released
jammy
Fixed 3.12.4-1ubuntu7.22.04.4
released
noble
Fixed 3.21.12-8.2ubuntu0.2
released
oracular
ignored
plucky
Fixed 3.21.12-10ubuntu0.1
released
trusty
ignored
xenial
Fixed 2.6.1-1.3ubuntu0.1~esm4
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libprotobuf-lite20
suse enterprise sap 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP5
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP5
3.9.2-150200.4.33.1
fixed
libprotobuf-lite25_1_0
suse enterprise desktop 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise desktop 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP4
25.1-150400.9.16.1
fixed
suse enterprise server 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP7
25.1-150600.16.13.1
fixed
libprotobuf20
suse enterprise desktop 15 SP6
3.9.2-150200.4.27.1
fixed
suse enterprise desktop 15 SP7
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP5
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP6
3.9.2-150200.4.27.1
fixed
suse enterprise sap 15 SP7
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP5
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP6
3.9.2-150200.4.27.1
fixed
suse enterprise server 15 SP7
3.9.2-150200.4.33.1
fixed
libprotobuf25_1_0
suse enterprise desktop 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise desktop 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP4
25.1-150400.9.16.1
fixed
suse enterprise server 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP7
25.1-150600.16.13.1
fixed
libprotoc20
suse enterprise sap 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP5
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP5
3.9.2-150200.4.33.1
fixed
libprotoc25_1_0
suse enterprise desktop 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise desktop 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP5
25.1-150500.12.11.1
fixed
suse enterprise sap 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise sap 15 SP7
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP4
25.1-150400.9.16.1
fixed
suse enterprise server 15 SP5
25.1-150500.12.11.1
fixed
suse enterprise server 15 SP6
25.1-150600.16.13.1
fixed
suse enterprise server 15 SP7
25.1-150600.16.13.1
fixed
protobuf-devel
suse enterprise server 15 SP4
25.1-150400.9.16.1
fixed
python3-protobuf
suse enterprise sap 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise sap 15 SP5
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP4
3.9.2-150200.4.33.1
fixed
suse enterprise server 15 SP5
3.9.2-150200.4.33.1
fixed
python311-protobuf
suse enterprise sap 15 SP4
4.25.1-150400.9.16.1
fixed
suse enterprise server 15 SP4
4.25.1-150400.9.16.1
fixed
Common Weakness Enumeration
References
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901