CVE-2025-4565

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

Published: Jun 16, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-4565
GHSA: GHSA-8qvm-5x2c-j2w7
Severity: High
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-674

Affected Software
References

Software	From	Fixed in
protobuf	-	4.25.8
protobuf	5.26.0rc1	5.29.5
protobuf	6.30.0rc1	6.31.1
google / protobuf-python	-	4.25.8
google / protobuf-python	5.26.0	5.29.5
google / protobuf-python	6.30.0	6.31.1

https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98
https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends

Vulnerability Database

CVE-2025-4565