VYPR
Medium severity5.3OSV Advisory· Published Dec 22, 2025· Updated Apr 15, 2026

CVE-2025-68480

CVE-2025-68480

Description

Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
marshmallowPyPI
>= 3.0.0rc1, < 3.26.23.26.2
marshmallowPyPI
>= 4.0.0, < 4.1.24.1.2

Affected products

49

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.