Base Score

MEDIUM5.3

CVE-2025-4565

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

VectorNETWORK

Published Bycve-coordination@google.com

Published DateJun 16, 2025, 15:15

Affected Versions(3)

protobuf(PyPI)

Introduced0

Fixed4.25.8

LimitN/A

protobuf(PyPI)

Introduced5.26.0rc1

Fixed5.29.5

LimitN/A

protobuf(PyPI)

Introduced6.30.0rc1

Fixed6.31.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
protobuf(PyPI)	0	4.25.8	N/A
protobuf(PyPI)	5.26.0rc1	5.29.5	N/A
protobuf(PyPI)	6.30.0rc1	6.31.1	N/A

Weakness Type (CWE):CWE-674

CVSS Metrics

Base Score

8.2

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-674

CVSS Metrics

Base Score

8.2

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)