CVE-2025-4565

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-4565
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4565.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-4565
Aliases
Downstream
Related
Published
2025-06-16T15:15:24.990Z
Modified
2026-03-26T17:29:10.679288Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

References

Affected packages

Git / github.com/protocolbuffers/protobuf

Affected ranges

Type
GIT
Repo
https://github.com/protocolbuffers/protobuf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a4cbdd3ed0042e8f9b9c30e8b0634096d9532809
Introduced
d6511091a0cab1ad13f676a02676ad2a0e5eb9ae
Fixed
f5de0a0495faa63b4186fc767324f8b9a7bf4fc4
Introduced
d295af5c3002c08e1bfd9d7f9e175d0a4d015f1e
Fixed
74211c0dfc2777318ab53c2cd2c317a2ef9012de
Fixed
17838beda2943d08b8a9d4df5b68f5f04f26d901
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.25.8"
        },
        {
            "introduced": "5.26.0"
        },
        {
            "fixed": "5.29.5"
        },
        {
            "introduced": "6.30.0"
        },
        {
            "fixed": "6.31.1"
        }
    ]
}

Affected versions

3.*
3.15.0-rc1
Other
conformance-build-tag
v26-dev
v27-dev
v28-dev
v29-dev
v30-dev
v31-dev
rust-prerelease-4.*
rust-prerelease-4.30.0-beta1
rust-prerelease-4.31.0-beta1
v16.*
v16.2
v18.*
v18.3
v19.*
v19.5
v2.*
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.1rc1
v20.*
v20.2
v21.*
v21.0
v21.0-rc1
v21.0-rc2
v21.1
v21.10
v21.11
v21.12
v21.2
v21.3
v21.4
v21.5
v21.6
v21.7
v21.8
v21.9
v22.*
v22.0
v22.0-rc1
v22.0-rc2
v22.0-rc3
v22.1
v22.2
v22.3
v22.4
v22.5
v23.*
v23.0
v23.0-rc1
v23.0-rc2
v23.0-rc3
v23.1
v23.2
v23.3
v23.4
v24.*
v24.0
v24.0-rc1
v24.0-rc2
v24.0-rc3
v24.1
v24.2
v24.3
v24.4
v25.*
v25.0
v25.0-rc1
v25.0-rc2
v25.1
v25.2
v25.3
v25.4
v25.5
v25.6
v25.7
v26.*
v26.0
v26.0-rc1
v26.0-rc2
v26.0-rc3
v26.1
v27.*
v27.0
v27.0-rc1
v27.0-rc2
v27.0-rc3
v27.1
v27.2
v27.3
v27.4
v27.5
v28.*
v28.0
v28.0-rc1
v28.0-rc2
v28.0-rc3
v28.1
v28.2
v28.3
v29.*
v29.0
v29.0-rc1
v29.0-rc2
v29.0-rc3
v29.1
v29.2
v29.3
v29.4
v3.*
v3.0.0
v3.0.0-alpha-1
v3.0.0-alpha-2
v3.0.0-alpha-3
v3.0.0-alpha-3.1
v3.0.0-alpha-4
v3.0.0-alpha-4.1
v3.0.0-beta-1
v3.0.0-beta-1-bzl-fix
v3.0.0-beta-1.1
v3.0.0-beta-2
v3.0.0-beta-3
v3.0.0-beta-3-pre-1
v3.0.0-beta-3.1
v3.0.0-beta-3.2
v3.0.0-beta-3.3
v3.0.0-beta-4
v3.0.0-javalite
v3.0.1-javalite
v3.0.2
v3.1.0
v3.1.0-alpha-1
v3.10.0
v3.10.0-rc1
v3.10.1
v3.11.0
v3.11.0-rc1
v3.11.0-rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0
v3.12.0-rc1
v3.12.0-rc2
v3.12.1
v3.12.2
v3.12.3
v3.12.4
v3.13.0
v3.13.0-rc3
v3.13.0.1
v3.14.0
v3.14.0-rc1
v3.14.0-rc2
v3.14.0-rc3
v3.15.0
v3.15.0-rc1
v3.15.0-rc2
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.15.6
v3.15.7
v3.15.8
v3.16.0
v3.16.0-rc1
v3.16.0-rc2
v3.16.1
v3.16.2
v3.16.3
v3.17.0
v3.17.0-rc1
v3.17.0-rc2
v3.17.1
v3.17.2
v3.17.3
v3.18.0
v3.18.0-rc1
v3.18.0-rc2
v3.18.1
v3.18.2
v3.18.3
v3.19.0
v3.19.0-rc1
v3.19.0-rc2
v3.19.1
v3.19.2
v3.19.3
v3.19.4
v3.19.5
v3.19.6
v3.2.0
v3.2.0-alpha-1
v3.2.0-rc.1
v3.2.0rc2
v3.2.1
v3.20.0
v3.20.0-rc1
v3.20.0-rc2
v3.20.0-rc3
v3.20.1
v3.20.1-rc1
v3.20.2
v3.20.3
v3.21.0
v3.21.0-rc2
v3.21.1
v3.21.10
v3.21.11
v3.21.12
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.21.6
v3.21.7
v3.21.8
v3.21.9
v3.22.0
v3.22.0-rc1
v3.22.0-rc2
v3.22.0-rc3
v3.22.1
v3.22.2
v3.22.3
v3.22.4
v3.22.5
v3.23.0
v3.23.0-rc1
v3.23.0-rc2
v3.23.0-rc3
v3.23.1
v3.23.2
v3.23.3
v3.23.4
v3.24.0
v3.24.0-rc1
v3.24.0-rc2
v3.24.0-rc3
v3.24.1
v3.24.2
v3.24.3
v3.24.4
v3.25.0
v3.25.0-rc1
v3.25.0-rc2
v3.25.1
v3.25.2
v3.25.3
v3.25.4
v3.25.5
v3.25.6
v3.25.7
v3.26.0
v3.26.0-rc1
v3.26.0-rc2
v3.26.0-rc3
v3.26.1
v3.27.0
v3.27.0-rc1
v3.27.0-rc2
v3.27.0-rc3
v3.27.1
v3.27.2
v3.27.3
v3.27.4
v3.27.5
v3.28.0
v3.28.0-rc1
v3.28.0-rc2
v3.28.0-rc3
v3.28.1
v3.28.2
v3.28.3
v3.29.0
v3.29.0-rc1
v3.29.0-rc2
v3.29.0-rc3
v3.29.1
v3.29.2
v3.29.3
v3.29.4
v3.3.0
v3.3.0rc1
v3.3.1
v3.3.2
v3.4.0
v3.4.0rc1
v3.4.0rc2
v3.4.0rc3
v3.4.1
v3.5.0
v3.5.0.1
v3.5.1
v3.5.1.1
v3.5.2
v3.6.0
v3.6.0.1
v3.6.0rc1
v3.6.0rc2
v3.6.1
v3.6.1.1
v3.6.1.2
v3.6.1.3
v3.7.0
v3.7.0-rc.2
v3.7.0-rc.3
v3.7.0rc1
v3.7.0rc2
v3.7.1
v3.8.0
v3.8.0-rc1
v3.9.0
v3.9.0-rc1
v3.9.1
v3.9.2
v30.*
v30.0
v30.0-rc1
v30.0-rc2
v30.1
v30.2
v31.*
v31.0
v31.0-rc1
v31.0-rc2
v4.*
v4.22.0
v4.22.0-rc1
v4.22.0-rc2
v4.22.0-rc3
v4.22.1
v4.22.2
v4.22.3
v4.22.4
v4.22.5
v4.23.0
v4.23.0-rc1
v4.23.0-rc2
v4.23.0-rc3
v4.23.1
v4.23.2
v4.23.3
v4.23.4
v4.24.0
v4.24.0-rc1
v4.24.0-rc2
v4.24.0-rc3
v4.24.1
v4.24.2
v4.24.3
v4.24.4
v4.25.0
v4.25.0-rc1
v4.25.0-rc2
v4.25.1
v4.25.2
v4.25.3
v4.25.4
v4.25.5
v4.25.6
v4.25.7
v4.30.0
v4.30.0-rc1
v4.30.0-rc2
v4.30.1
v4.30.2
v4.31.0
v4.31.0-rc1
v4.31.0-rc2
v5.*
v5.26.0
v5.26.0-rc1
v5.26.0-rc2
v5.26.0-rc3
v5.26.1
v5.27.0
v5.27.0-rc1
v5.27.0-rc2
v5.27.0-rc3
v5.27.1
v5.27.2
v5.27.3
v5.27.4
v5.27.5
v5.28.0
v5.28.0-rc1
v5.28.0-rc2
v5.28.0-rc3
v5.28.1
v5.28.2
v5.28.3
v5.29.0
v5.29.0-rc1
v5.29.0-rc2
v5.29.0-rc3
v5.29.1
v5.29.2
v5.29.3
v5.29.4
v6.*
v6.30.0
v6.30.0-rc1
v6.30.0-rc2
v6.30.1
v6.30.2
v6.31.0
v6.31.0-rc1
v6.31.0-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4565.json"
vanir_signatures 
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "228606868923603677769672827467256280418",
                "47561640358373228211429691835822805840",
                "43839354369203371833717701412287303719",
                "215908973485308819892957006685588128161"
            ]
        },
        "target": {
            "file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
        },
        "signature_version": "v1",
        "id": "CVE-2025-4565-28660012",
        "source": "https://github.com/protocolbuffers/protobuf/commit/74211c0dfc2777318ab53c2cd2c317a2ef9012de",
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "234249782041082941473730652632081580949",
                "1239930494250163717274066415174407419",
                "67316742155608480760959593469768444953",
                "215908973485308819892957006685588128161"
            ]
        },
        "target": {
            "file": "java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"
        },
        "signature_version": "v1",
        "id": "CVE-2025-4565-4655b7e0",
        "source": "https://github.com/protocolbuffers/protobuf/commit/f5de0a0495faa63b4186fc767324f8b9a7bf4fc4",
        "signature_type": "Line",
        "deprecated": false
    }
]