Denial of Service Vulnerability in Protobuf Pure-Python Backend
CVE-2025-4565

8.2HIGH

Key Information:

Vendor: Protocolbuffers
Status: Python-protobuf
Vendor: CVE Published:; 16 June 2025

🔔 Create Protocolbuffers Vulnerability Alert

What is CVE-2025-4565?

The Protobuf Pure-Python backend is vulnerable to denial of service attacks when parsing untrusted Protocol Buffers data. The vulnerability arises due to the potential for corruption when handling an arbitrary number of recursive groups, recursive messages, or a series of SGROUP tags. This could exceed the Python recursion limit, leading to application crashes accompanied by a RecursionError. Affected users are advised to upgrade to version 6.31.1 or later to mitigate the risks associated with this vulnerability.

Affected Version(s)

Python-Protobuf 0 < 4.25.8

Python-Protobuf 0 < 5.29.5

Python-Protobuf 0 < 6.31.1

References

https://github.com/protocolbuffers/protobuf/commit/17838b...

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
May 12, 2025

Credit

Alexis Challande - Trail of Bits Ecosystem Security Team