| Name | CVE-2025-68480 |
| Description | Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1123888 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-marshmallow (PTS) | bullseye | 3.10.0-1 | vulnerable |
| bookworm | 3.18.0-1 | vulnerable | |
| forky, sid, trixie | 3.26.1-0.2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-marshmallow | source | (unstable) | (unfixed) | 1123888 |
https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
https://github.com/marshmallow-code/marshmallow/commit/218d98a785d3bd25dad8880bb07e9cce70340f31 (4.1.2)
https://github.com/marshmallow-code/marshmallow/commit/70141f4180fb94ced3544cdefdaff89172dd3956 (4.1.2)
https://github.com/marshmallow-code/marshmallow/commit/36f87877d0e889e682386a0121eabe030cde57b1 (4.1.2)
https://github.com/marshmallow-code/marshmallow/commit/0356a3f1c307830f8ded56d823abca5611c594c9 (3.26.2)
https://github.com/marshmallow-code/marshmallow/commit/6d4a17dad54ea9711040c6aa6ba4d59267242a41 (3.26.2)
https://github.com/marshmallow-code/marshmallow/commit/489a8d421dc7955bb53b89e962d69465fbc5b6af (3.26.2)