UBUNTU-CVE-2025-68480
- Source
- https://ubuntu.com/security/CVE-2025-68480
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-68480.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-68480
- Upstream
- Published
- 2025-12-22T22:16:00Z
- Modified
- 2025-12-26T08:39:14.301605Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
- References
-
- https://ubuntu.com/security/CVE-2025-68480
- https://www.cve.org/CVERecord?id=CVE-2025-68480
- https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
- https://github.com/marshmallow-code/marshmallow/commit/218d98a785d3bd25dad8880bb07e9cce70340f31
- https://github.com/marshmallow-code/marshmallow/commit/70141f4180fb94ced3544cdefdaff89172dd3956
- https://github.com/marshmallow-code/marshmallow/commit/36f87877d0e889e682386a0121eabe030cde57b1
- https://github.com/marshmallow-code/marshmallow/commit/0356a3f1c307830f8ded56d823abca5611c594c9
- https://github.com/marshmallow-code/marshmallow/commit/6d4a17dad54ea9711040c6aa6ba4d59267242a41
- https://github.com/marshmallow-code/marshmallow/commit/489a8d421dc7955bb53b89e962d69465fbc5b6af
- https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
Affected packages
Ubuntu:18.04:LTS
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.0.0b3-1?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:20.04:LTS
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.4.0-1?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:22.04:LTS
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.13.0-1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:24.04:LTS
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.20.1-1.1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:25.04
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.26.1-0.2?arch=source&distro=plucky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:25.10
python-marshmallow
Package
- Name
- python-marshmallow
- Purl
- pkg:deb/ubuntu/python-marshmallow@3.26.1-0.2?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected