{"id":"CVE-2025-68480","summary":"Marshmallow has DoS in Schema.load(many)","details":"Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.","aliases":["GHSA-428g-f7cq-pgp5"],"modified":"2026-04-10T05:36:24.039887Z","published":"2025-12-22T21:20:15.958Z","related":["CGA-58v8-9585-96g7","SUSE-SU-2026:0226-1","SUSE-SU-2026:20130-1","openSUSE-SU-2026:10003-1","openSUSE-SU-2026:20087-1"],"database_specific":{"cwe_ids":["CWE-405"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68480.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68480.json"},{"type":"ADVISORY","url":"https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68480"},{"type":"FIX","url":"https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/marshmallow-code/marshmallow","events":[{"introduced":"55932fa4e4ba7496f424ed2942d7963051030699"},{"fixed":"1407d5102ae020421ddc8425474e976325a9539e"}],"database_specific":{"versions":[{"introduced":"3.0.0rc1"},{"fixed":"3.26.2"}]}},{"type":"GIT","repo":"https://github.com/marshmallow-code/marshmallow","events":[{"introduced":"84b15960272c16525c945ae99749e505310612a9"},{"fixed":"692e79df9cb03458c0bd215b32ef83d92afb9a47"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.1.2"}]}}],"versions":["3.0.0","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.0rc4","3.0.0rc5","3.0.0rc6","3.0.0rc7","3.0.0rc8","3.0.0rc9","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.1.0","3.1.1","3.10.0","3.11.0","3.11.1","3.12.0","3.12.1","3.12.2","3.13.0","3.14.0","3.14.1","3.15.0","3.16.0","3.17.0","3.17.1","3.18.0","3.19.0","3.2.0","3.2.1","3.2.2","3.20.0","3.20.1","3.20.2","3.21.0","3.21.1","3.21.2","3.21.3","3.22.0","3.23.0","3.23.1","3.23.2","3.23.3","3.24.0","3.24.1","3.24.2","3.25.0","3.25.1","3.26.0","3.26.1","3.3.0","3.4.0","3.5.0","3.5.1","3.5.2","3.6.0","3.6.1","3.7.0","3.7.1","3.8.0","3.9.0","3.9.1","4.0.0","4.0.1","4.1.0","4.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68480.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}