{"id":"CVE-2025-4565","details":"Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =\u003e6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901","aliases":["GHSA-8qvm-5x2c-j2w7"],"modified":"2026-04-12T16:55:25.413533Z","published":"2025-06-16T15:15:24.990Z","related":["CGA-w3jp-gh75-25j4","SUSE-SU-2025:02309-1","SUSE-SU-2025:02310-1","SUSE-SU-2025:02311-1","SUSE-SU-2025:20514-1","SUSE-SU-2025:20672-1","SUSE-SU-2025:3722-1","SUSE-SU-2026:20753-1","SUSE-SU-2026:20907-1","openSUSE-SU-2025:15265-1","openSUSE-SU-2026:20390-1"],"references":[{"type":"FIX","url":"https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/protocolbuffers/protobuf","events":[{"introduced":"0"},{"fixed":"a4cbdd3ed0042e8f9b9c30e8b0634096d9532809"},{"introduced":"d6511091a0cab1ad13f676a02676ad2a0e5eb9ae"},{"fixed":"f5de0a0495faa63b4186fc767324f8b9a7bf4fc4"},{"introduced":"d295af5c3002c08e1bfd9d7f9e175d0a4d015f1e"},{"fixed":"74211c0dfc2777318ab53c2cd2c317a2ef9012de"},{"fixed":"17838beda2943d08b8a9d4df5b68f5f04f26d901"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.25.8"},{"introduced":"5.26.0"},{"fixed":"5.29.5"},{"introduced":"6.30.0"},{"fixed":"6.31.1"}]}}],"versions":["rust-prerelease-4.30.0-beta1","rust-prerelease-4.31.0-beta1","v2.6.0","v2.6.1rc1","v25.0-rc1","v26-dev","v27-dev","v28-dev","v29-dev","v29.0-rc1","v3.0.0-alpha-3","v3.0.0-alpha-4","v3.0.0-beta-1","v3.0.0-beta-1-bzl-fix","v3.0.0-beta-2","v3.0.0-beta-3-pre-1","v3.12.3","v3.20.0-rc2","v3.25.0-rc1","v3.29.0-rc1","v30-dev","v31-dev","v31.0-rc1","v4.25.0-rc1","v4.31.0-rc1","v5.29.0-rc1","v6.31.0-rc1"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2025-4565-28660012","source":"https://github.com/protocolbuffers/protobuf/commit/74211c0dfc2777318ab53c2cd2c317a2ef9012de","digest":{"line_hashes":["228606868923603677769672827467256280418","47561640358373228211429691835822805840","43839354369203371833717701412287303719","215908973485308819892957006685588128161"],"threshold":0.9},"target":{"file":"java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"}},{"signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2025-4565-4655b7e0","source":"https://github.com/protocolbuffers/protobuf/commit/f5de0a0495faa63b4186fc767324f8b9a7bf4fc4","digest":{"line_hashes":["234249782041082941473730652632081580949","1239930494250163717274066415174407419","67316742155608480760959593469768444953","215908973485308819892957006685588128161"],"threshold":0.9},"target":{"file":"java/core/src/main/java/com/google/protobuf/RuntimeVersion.java"}}],"vanir_signatures_modified":"2026-04-12T16:55:25Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4565.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}