CVE-2025-68480
Denial of Service in Marshmallow Schema.load(many=True
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| marshmallow | marshmallow | 4.0.0 |
| marshmallow | marshmallow | 3.26.2 |
| marshmallow | marshmallow | 3.0.0rc1 |
| marshmallow | marshmallow | 4.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68480 is a denial of service (DoS) vulnerability in the marshmallow Python library, specifically in the Schema.load(data, many=True) method. When processing moderately sized requests with many=True, the method can consume a disproportionate amount of CPU time, leading to resource exhaustion. The issue is due to inefficient handling of error message merging that could mutate input data structures and cause excessive CPU usage. This vulnerability affects versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, and has been fixed by introducing deep copying of error messages before merging and refining the merging logic to avoid rebuilding collections. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause your application using the marshmallow library to consume excessive CPU resources when processing certain requests. This can lead to denial of service conditions where your service becomes slow or unresponsive due to resource exhaustion. The attack can be performed remotely without any privileges or user interaction, making it easier to exploit and potentially disrupt availability of your service. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying usage of the marshmallow library versions from 3.0.0rc1 up to before 3.26.2 and from 4.0.0 up to before 4.1.2, specifically where Schema.load(data, many=True) is called. Monitoring for unusually high CPU usage during processing of requests involving marshmallow's Schema.load with many=True could indicate exploitation attempts. There are no specific commands provided in the resources to detect the vulnerability on your system or network. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the marshmallow library to version 3.26.2 or 4.1.2 or later, where the vulnerability is patched. Additionally, a suggested workaround is to implement a 'fail fast' check that verifies the input data is a list before processing with Schema.load(many=True), raising a ValidationError if not, to avoid the vulnerable code path. [2, 1]