CVE-2025-4565

NameCVE-2025-4565
DescriptionAny project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1108057

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
protobuf (PTS)bullseye3.12.4-1+deb11u1vulnerable
bookworm3.21.12-3vulnerable
trixie, sid3.21.12-11vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
protobufsource(unstable)(unfixed)1108057

Notes

[bookworm] - protobuf <no-dsa> (Minor issue)
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
Search for package or bug name: Reporting problems