CVE-2025-4565
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-08-14
Assigner: Google Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| protobuf-python | to 4.25.8 (exc) | |
| protobuf-python | From 5.26.0 (inc) to 5.29.5 (exc) | |
| protobuf-python | From 6.30.0 (inc) to 6.31.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-4565 is a vulnerability in the pure Python implementation of the Google Protocol Buffers (protobuf) library. It occurs when parsing untrusted protobuf data that contains an arbitrary number of recursive groups, recursive messages, or a series of SGROUP tags. Because the decoder did not limit recursion depth, maliciously crafted messages with excessive nesting could cause the Python recursion limit to be exceeded, leading to a crash of the application with a RecursionError. This results in a denial of service. The vulnerability was fixed by introducing a configurable recursion depth limit in the decoder to prevent excessive nesting from causing crashes. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service in applications that use the pure Python protobuf decoder to parse untrusted data. If an attacker sends protobuf messages with deeply nested recursive groups or messages, it can exceed the Python recursion limit and crash the application, potentially disrupting service availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for application crashes or RecursionError exceptions in applications using the Protobuf Pure-Python backend when parsing Protocol Buffers data. Specifically, look for error messages like "Error parsing message: too many levels of nesting." There are no explicit commands provided, but you can enable logging or debugging in your Python application to capture such exceptions during protobuf message parsing. Additionally, testing with crafted protobuf messages containing deeply nested recursive groups or messages can help detect if the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the protobuf Python library to version 6.31.1 or later, which includes the fix that enforces a recursion depth limit during message parsing. Alternatively, if upgrading is not immediately possible, you can configure the recursion limit dynamically using the provided SetRecursionLimit(new_limit) function to a safe value (default is 100) to prevent excessive recursion. Avoid processing untrusted protobuf data until the fix is applied. [1]