Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| marshmallow(PyPI) | 3.0.0rc1 | 3.26.2 | N/A |
| marshmallow(PyPI) | 4.0.0 | 4.1.2 | N/A |
CVSS Metrics
