2373016 – (CVE-2025-4565) CVE-2025-4565 python-protobuf: Unbounded recursion in Python Protobuf

Bug 2373016 (CVE-2025-4565) - CVE-2025-4565 python-protobuf: Unbounded recursion in Python Protobuf

Summary: CVE-2025-4565 python-protobuf: Unbounded recursion in Python Protobuf

Keywords:
Status:	NEW
Alias:	CVE-2025-4565
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2373047 2373048 2373049 2373050
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-16 15:01 UTC by OSIDB Bzimport
Modified:	2025-06-17 08:28 UTC (History)
CC List:	47 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-16 15:01:23 UTC

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

Note You need to log in before you can comment on or make changes to this bug.

alinfoot
bbrownin
bdettelb
caswilli
dnakabaa
doconnor
dtrifiro
eglynn
haoli
hkataria
jajackso
jcammara
jjoyce
jkoehler
jmitchel
jneedle
jschluet
jtanner
jwendell
jwong
kaycoth
kegrant
kholdawa
koliveir
kshier
lcouzens
lhh
lphiri
lsvaty
mabashia
mburns
mgarciac
mskarbek
pbraun
pgrist
rbryant
rcernich
shvarugh
simaishi
smcdonal
stcannon
teagle
tfister
thavo
ttakamiy
weaton
yguenane