High severityNVD Advisory· Published Jun 16, 2025· Updated Jun 16, 2025
Unbounded recursion in Python Protobuf
CVE-2025-4565
Description
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
protobufPyPI | < 4.25.8 | 4.25.8 |
protobufPyPI | >= 5.26.0rc1, < 5.29.5 | 5.29.5 |
protobufPyPI | >= 6.30.0rc1, < 6.31.1 | 6.31.1 |
Affected products
95- osv-coords94 versionspkg:apk/chainguard/awxpkg:apk/chainguard/datadog-agentpkg:apk/chainguard/datadog-agent-core-integrationspkg:apk/chainguard/datadog-agent-core-integrations-fipspkg:apk/chainguard/datadog-agent-fakeintakepkg:apk/chainguard/datadog-agent-fakeintake-fipspkg:apk/chainguard/datadog-agent-fipspkg:apk/chainguard/datadog-agent-jmxpkg:apk/chainguard/datadog-agent-jmx-fipspkg:apk/chainguard/datadog-agent-oci-compatpkg:apk/chainguard/datadog-agent-oci-compat-fipspkg:apk/chainguard/datadog-agent-s6-overlaypkg:apk/chainguard/datadog-agent-s6-overlay-fipspkg:apk/chainguard/datadog-cluster-agentpkg:apk/chainguard/datadog-cluster-agent-fipspkg:apk/chainguard/datadog-cluster-agent-oci-compatpkg:apk/chainguard/datadog-cluster-agent-oci-compat-fipspkg:apk/chainguard/dogstatsdpkg:apk/chainguard/ghidrapkg:apk/chainguard/grafana-oncallpkg:apk/chainguard/grafana-oncall-compatpkg:apk/chainguard/kservepkg:apk/chainguard/kserve-agentpkg:apk/chainguard/kserve-agent-compatpkg:apk/chainguard/kserve-managerpkg:apk/chainguard/kserve-manager-compatpkg:apk/chainguard/kserve-qpextpkg:apk/chainguard/kserve-qpext-compatpkg:apk/chainguard/kserve-routerpkg:apk/chainguard/kserve-router-compatpkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/nemopkg:apk/chainguard/py3.11-text-generation-inferencepkg:apk/chainguard/request-1276pkg:apk/chainguard/request-1276-compatpkg:apk/chainguard/spamcheckpkg:apk/chainguard/spamcheck-compatpkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/text-generation-inference-compatpkg:apk/wolfi/datadog-agentpkg:apk/wolfi/datadog-agent-core-integrationspkg:apk/wolfi/datadog-agent-fakeintakepkg:apk/wolfi/datadog-agent-jmxpkg:apk/wolfi/datadog-agent-oci-compatpkg:apk/wolfi/datadog-agent-s6-overlaypkg:apk/wolfi/datadog-cluster-agentpkg:apk/wolfi/datadog-cluster-agent-oci-compatpkg:apk/wolfi/dogstatsdpkg:apk/wolfi/grafana-oncallpkg:apk/wolfi/grafana-oncall-compatpkg:apk/wolfi/kservepkg:apk/wolfi/kserve-agentpkg:apk/wolfi/kserve-agent-compatpkg:apk/wolfi/kserve-managerpkg:apk/wolfi/kserve-manager-compatpkg:apk/wolfi/kserve-qpextpkg:apk/wolfi/kserve-qpext-compatpkg:apk/wolfi/kserve-routerpkg:apk/wolfi/kserve-router-compatpkg:apk/wolfi/kserve-storage-controllerpkg:pypi/protobufpkg:rpm/opensuse/protobuf&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/protobuf&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/protobuf&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/protobuf-java&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-protobuf&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Micro%206.2pkg:rpm/suse/protobuf&distro=SUSE%20Manager%20Server%20Module%204.3pkg:rpm/suse/protobuf-java&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/protobuf-java&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-protobuf&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-protobuf&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 24.6.1-r9+ 93 more
- (no CPE)range: < 24.6.1-r9
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 11.4-r0
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 2.3.1-r4
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 0.24.1-r1
- (no CPE)range: < 0.24.1-r1
- (no CPE)range: < 3.5.3-r3
- (no CPE)range: < 3.5.3-r3
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 7.67.0-r1
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 4.25.8
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 31.1-1.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 5.28.3-160000.3.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 25.1-150400.9.16.1
- (no CPE)range: < 25.1-150400.9.16.1
- (no CPE)range: < 25.1-150500.12.11.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 25.1-150400.9.16.1
- (no CPE)range: < 25.1-150500.12.11.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 3.9.2-150200.4.27.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 25.1-150600.16.13.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 23.4-10.1
- (no CPE)range: < 23.4-slfo.1.1_2.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 25.1-150400.9.16.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 28.3-160000.3.1
- (no CPE)range: < 5.28.3-160000.3.1
- (no CPE)range: < 5.28.3-160000.3.1
- Range: 0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-8qvm-5x2c-j2w7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4565ghsaADVISORY
- github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.pyghsaWEB
- github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.pyghsaWEB
- github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901ghsaWEB
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8ghsaWEB
- github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7ghsaWEB
- github.com/protocolbuffers/protobuf/tree/main/pythonghsaWEB
News mentions
0No linked articles in our index yet.