PYSEC-2026-1605

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/marshmallow/PYSEC-2026-1605.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1605
Aliases
Published
2026-07-07T16:03:14.008333Z
Modified
2026-07-07T17:46:15.412219531Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Marshmallow has DoS in Schema.load(many)
Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

# Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]
References

Affected packages

PyPI / marshmallow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0rc1
Fixed
3.26.2
Introduced
4.0.0
Fixed
4.1.2

Affected versions

3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0rc6
3.0.0rc7
3.0.0rc8
3.0.0rc9
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.7.0
3.7.1
3.8.0
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.17.0
3.17.1
3.18.0
3.19.0
3.20.0
3.20.1
3.20.2
3.21.0
3.21.1
3.21.2
3.21.3
3.22.0
3.23.0
3.23.1
3.23.2
3.23.3
3.24.0
3.24.1
3.24.2
3.25.0
3.25.1
3.26.0
3.26.1
4.*
4.0.0
4.0.1
4.1.0
4.1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/marshmallow/PYSEC-2026-1605.yaml"