DEBIAN-CVE-2025-4565

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-4565

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-4565.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-4565

Upstream

CVE-2025-4565

Published

2025-06-16T15:15:24Z

Modified

2025-09-30T05:20:56.429569Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

References

https://security-tracker.debian.org/tracker/CVE-2025-4565

Affected packages

Debian:11 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.12.4-1

3.12.4-1+deb11u1

3.14.0-1

3.17.1-1

3.17.2-1

3.17.3-1

3.17.3-2

3.18.0~rc1-1

3.18.0~rc2-1

3.18.0-1

3.18.1-1

3.19.0-1

3.19.1-1

3.19.3-1

3.19.4-1

3.20.0~rc1-1

3.20.0~rc2-1

3.20.0-1

3.20.1~rc1-1

3.20.1-1

3.20.2-1

3.21.6-1

3.21.7-1

3.21.8-1

3.21.9-1

3.21.9-2

3.21.9-3

3.21.9-4

3.21.9-5

3.21.10-1

3.21.11-1

3.21.12-1

3.21.12-2

3.21.12-2+exp1

3.21.12-3

3.21.12-4

3.21.12-5

3.21.12-6

3.21.12-7

3.21.12-8

3.21.12-8.1

3.21.12-8.2

3.21.12-9

3.21.12-10

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-3

3.21.12-4

3.21.12-5

3.21.12-6

3.21.12-7

3.21.12-8

3.21.12-8.1

3.21.12-8.2

3.21.12-9

3.21.12-10

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.12-11

3.21.12-12

3.21.12-13

3.21.12-14

3.25.1-1

3.25.2-1

3.25.3-1

3.25.4-1

4.*

4.0.0~rc1-1

4.0.0~rc2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / protobuf

Package

Name: protobuf
Purl: pkg:deb/debian/protobuf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.21.12-12

Affected versions

3.*

3.21.12-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}