VYPR
Medium severity5.3NVD Advisory· Published Sep 18, 2018· Updated Jun 17, 2026

CVE-2018-17175

CVE-2018-17175

Description

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
marshmallowPyPI
< 2.15.12.15.1
marshmallowPyPI
>= 3.0a0, < 3.0.0b93.0.0b9

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.