CVE-2025-4565: protobuf-python has a potential Denial of Service issue
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com
References
- github.com/advisories/GHSA-8qvm-5x2c-j2w7
- github.com/protocolbuffers/protobuf
- github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py
- github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py
- github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
- github.com/protocolbuffers/protobuf/tree/main/python
- nvd.nist.gov/vuln/detail/CVE-2025-4565
Code Behaviors & Features
Detect and mitigate CVE-2025-4565 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →