Medium severity5.3OSV Advisory· Published Dec 22, 2025· Updated Apr 15, 2026
CVE-2025-68480
CVE-2025-68480
Description
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
marshmallowPyPI | >= 3.0.0rc1, < 3.26.2 | 3.26.2 |
marshmallowPyPI | >= 4.0.0, < 4.1.2 | 4.1.2 |
Affected products
49- Range: 3.0.0, 3.0.0rc1, 3.0.0rc2, …
- osv-coords48 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-2-bitnami-compatpkg:apk/chainguard/airflow-2-compatpkg:apk/chainguard/airflow-2-iamguarded-compatpkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-3-bitnami-compatpkg:apk/chainguard/airflow-3-compatpkg:apk/chainguard/airflow-3-iamguarded-compatpkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/airflow-core-2-compatpkg:apk/chainguard/airflow-core-2-oci-entrypointpkg:apk/chainguard/ggshieldpkg:apk/chainguard/open-webuipkg:apk/chainguard/open-webui-compatpkg:apk/chainguard/py3.11-marshmallowpkg:apk/chainguard/py3.12-marshmallowpkg:apk/chainguard/py3.13-marshmallowpkg:apk/chainguard/py3-marshmallowpkg:apk/chainguard/py3-supported-marshmallowpkg:apk/chainguard/superset-4.1pkg:apk/chainguard/superset-4.1-entrypointpkg:apk/chainguard/superset-4.1-iamguarded-compatpkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-5.0-entrypointpkg:apk/chainguard/superset-5.0-iamguarded-compatpkg:apk/wolfi/airflow-3pkg:apk/wolfi/airflow-3-bitnami-compatpkg:apk/wolfi/airflow-3-compatpkg:apk/wolfi/airflow-3-iamguarded-compatpkg:apk/wolfi/ggshieldpkg:apk/wolfi/open-webuipkg:apk/wolfi/open-webui-compatpkg:apk/wolfi/superset-4.1pkg:apk/wolfi/superset-4.1-entrypointpkg:apk/wolfi/superset-4.1-iamguarded-compatpkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-5.0-entrypointpkg:apk/wolfi/superset-5.0-iamguarded-compatpkg:pypi/marshmallowpkg:rpm/opensuse/python-marshmallow&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-marshmallow&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-marshmallow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP7pkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-marshmallow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.0-r18+ 47 more
- (no CPE)range: < 2.11.0-r18
- (no CPE)range: < 2.11.0-r18
- (no CPE)range: < 2.11.0-r18
- (no CPE)range: < 2.11.0-r18
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 2.11.0-r10
- (no CPE)range: < 2.11.0-r10
- (no CPE)range: < 2.11.0-r10
- (no CPE)range: < 1.51.0-r0
- (no CPE)range: < 0.6.41-r1
- (no CPE)range: < 0.6.41-r1
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.2-r0
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 3.1.5-r1
- (no CPE)range: < 1.51.0-r0
- (no CPE)range: < 0.6.41-r1
- (no CPE)range: < 0.6.41-r1
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 4.1.4-r4
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: < 5.0.0-r10
- (no CPE)range: >= 3.0.0rc1, < 3.26.2
- (no CPE)range: < 3.20.2-150400.9.10.1
- (no CPE)range: < 3.20.2-160000.3.1
- (no CPE)range: < 3.26.2-1.1
- (no CPE)range: < 3.20.2-150400.9.10.1
- (no CPE)range: < 3.20.2-150400.9.10.1
- (no CPE)range: < 3.20.2-150400.9.10.1
- (no CPE)range: < 3.20.2-150400.9.10.1
- (no CPE)range: < 3.20.2-160000.3.1
- (no CPE)range: < 3.20.2-160000.3.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.