GHSA-428g-f7cq-pgp5

Source

https://github.com/advisories/GHSA-428g-f7cq-pgp5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-428g-f7cq-pgp5/GHSA-428g-f7cq-pgp5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-428g-f7cq-pgp5

Aliases

CVE-2025-68480

Published

2025-12-22T20:20:07Z

Modified

2025-12-22T21:11:14.273295Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Marshmallow has DoS in Schema.load(many)

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

# Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Database specific

{
    "github_reviewed_at": "2025-12-22T20:20:07Z",
    "cwe_ids": [
        "CWE-405"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

PyPI / marshmallow

Package

Name: marshmallow; View open source insights on deps.dev
Purl: pkg:pypi/marshmallow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0rc1

Fixed

3.26.2

Affected versions

3.*

3.0.0rc1

3.0.0rc2

3.0.0rc3

3.0.0rc4

3.0.0rc5

3.0.0rc6

3.0.0rc7

3.0.0rc8

3.0.0rc9

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

3.3.0

3.4.0

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1

3.7.0

3.7.1

3.8.0

3.9.0

3.9.1

3.10.0

3.11.0

3.11.1

3.12.0

3.12.1

3.12.2

3.13.0

3.14.0

3.14.1

3.15.0

3.16.0

3.17.0

3.17.1

3.18.0

3.19.0

3.20.0

3.20.1

3.20.2

3.21.0

3.21.1

3.21.2

3.21.3

3.22.0

3.23.0

3.23.1

3.23.2

3.23.3

3.24.0

3.24.1

3.24.2

3.25.0

3.25.1

3.26.0

3.26.1

PyPI / marshmallow

Package

Name: marshmallow; View open source insights on deps.dev
Purl: pkg:pypi/marshmallow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.2

Affected versions

4.*

4.0.0

4.0.1

4.1.0

4.1.1