Description

Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.

INFO

Published Date :

2025-12-22T21:20:15.958Z

Last Modified :

2025-12-22T21:35:02.469Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68480 vulnerability.

Vendors Products
Marshmallow Project
  • Marshmallow
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68480.

URL Resource
https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 cve-icon cve-icon cve-icon
https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-68480 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-68480 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact