CVE-2025-4565: DOS via RecursionError in Protobuf Pure-Python <=6.31.1
CVE-2025-4565 Published on June 16, 2025
Unbounded recursion in Python Protobuf
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2025-4565 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-4565
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-4565 are published in these products:
Affected Versions
protocolbuffers Python-Protobuf:- Before 4.25.8 is affected.
- Before 5.29.5 is affected.
- Before 6.31.1 is affected.
- Before 4.25.8 is affected.
- Before 5.29.5 is affected.
- Before 6.31.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.