CVE-2025-4565

Name
CVE-2025-4565
Description
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve-coordination@google.com https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901

Match rules

CPE URI Source package Min version Max version
python-protobuf >= 0 < 4.25.8
python-protobuf >= 0 < 5.29.5
python-protobuf >= 0 < 6.31.1
cpe:2.3:a:google:protobuf:4.25.8:*:*:*:*:python:*:* py3-protobuf == None == 4.25.8
cpe:2.3:a:google:protobuf:5.29.5:*:*:*:*:python:*:* py3-protobuf == None == 5.29.5
cpe:2.3:a:google:protobuf:6.31.1:*:*:*:*:python:*:* py3-protobuf == None == 6.31.1
cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:* protobuf-python >= None < 4.25.8
cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:* protobuf-python >= 5.26.0 < 5.29.5
cpe:2.3:a:google:protobuf-python:*:*:*:*:*:*:*:* protobuf-python >= 6.30.0 < 6.31.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-protobuf edge-community 6.31.1-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
py3-protobuf edge-community 6.31.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
py3-protobuf 3.23-community 6.31.1-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable