Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hwx9-7pf9-ryce
Vulnerability ID VCID-hwx9-7pf9-ryce
Aliases CVE-2025-4565
GHSA-8qvm-5x2c-j2w7
Summary protobuf-python has a potential Denial of Service issue ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8). ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478) ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-674 Uncontrolled Recursion
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4565.json
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2025-4565
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8qvm-5x2c-j2w7
cvssv4 8.2 https://github.com/protocolbuffers/protobuf
generic_textual HIGH https://github.com/protocolbuffers/protobuf
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98
generic_textual HIGH https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478
generic_textual HIGH https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
generic_textual HIGH https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
ssvc Track https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
generic_textual HIGH https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
cvssv3.1_qr HIGH https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
generic_textual HIGH https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
cvssv4 8.2 https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends
generic_textual HIGH https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends
cvssv4 8.2 https://nvd.nist.gov/vuln/detail/CVE-2025-4565
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-4565
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4565.json
https://api.first.org/data/v1/epss?cve=CVE-2025-4565
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4565
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/protocolbuffers/protobuf
https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98
https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478
https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends
https://nvd.nist.gov/vuln/detail/CVE-2025-4565
1108057 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108057
2373016 https://bugzilla.redhat.com/show_bug.cgi?id=2373016
GHSA-8qvm-5x2c-j2w7 https://github.com/advisories/GHSA-8qvm-5x2c-j2w7
RHSA-2025:10773 https://access.redhat.com/errata/RHSA-2025:10773
RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249
RHSA-2026:3960 https://access.redhat.com/errata/RHSA-2026:3960
USN-7629-1 https://usn.ubuntu.com/7629-1/
USN-7629-2 https://usn.ubuntu.com/7629-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4565.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-16T15:38:57Z/ Found at https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-4565
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03592
EPSS Score 0.00016
Published At April 12, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:56:53.843466+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8qvm-5x2c-j2w7/GHSA-8qvm-5x2c-j2w7.json 38.0.0