CVE-2025-68480
Unknown Unknown - Not Provided
Denial of Service in Marshmallow Schema.load(many=True

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: GitHub, Inc.

Description
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68480
EUVD
EUVD-2025-204752
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
marshmallow marshmallow 4.0.0
marshmallow marshmallow 3.26.2
marshmallow marshmallow 3.0.0rc1
marshmallow marshmallow 4.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68480 is a denial of service (DoS) vulnerability in the marshmallow Python library, specifically in the Schema.load(data, many=True) method. When processing moderately sized requests with many=True, the method can consume a disproportionate amount of CPU time, leading to resource exhaustion. The issue is due to inefficient handling of error message merging that could mutate input data structures and cause excessive CPU usage. This vulnerability affects versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, and has been fixed by introducing deep copying of error messages before merging and refining the merging logic to avoid rebuilding collections. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause your application using the marshmallow library to consume excessive CPU resources when processing certain requests. This can lead to denial of service conditions where your service becomes slow or unresponsive due to resource exhaustion. The attack can be performed remotely without any privileges or user interaction, making it easier to exploit and potentially disrupt availability of your service. [2]

Detection Guidance

This vulnerability can be detected by identifying usage of the marshmallow library versions from 3.0.0rc1 up to before 3.26.2 and from 4.0.0 up to before 4.1.2, specifically where Schema.load(data, many=True) is called. Monitoring for unusually high CPU usage during processing of requests involving marshmallow's Schema.load with many=True could indicate exploitation attempts. There are no specific commands provided in the resources to detect the vulnerability on your system or network. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading the marshmallow library to version 3.26.2 or 4.1.2 or later, where the vulnerability is patched. Additionally, a suggested workaround is to implement a 'fail fast' check that verifies the input data is a list before processing with Schema.load(many=True), raising a ValidationError if not, to avoid the vulnerable code path. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart