CVE-2025-68480
📋 TL;DR
Marshmallow library versions 3.0.0rc1-3.26.1 and 4.0.0-4.1.1 contain a denial of service vulnerability in Schema.load() with many=True parameter. Attackers can send moderately sized requests that cause disproportionate CPU consumption, potentially degrading or crashing affected services. This affects any Python application using vulnerable marshmallow versions for data serialization/deserialization.
💻 Affected Systems
- marshmallow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, affecting all users of the vulnerable application.
Likely Case
Degraded performance and intermittent service disruptions under attack conditions.
If Mitigated
Minimal impact with proper rate limiting, request validation, and monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted data to endpoints using vulnerable marshmallow methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.26.2 or 4.1.2
Vendor Advisory: https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5
Restart Required: Yes
Instructions:
1. Identify marshmallow version: pip show marshmallow
2. Update to patched version: pip install --upgrade marshmallow==3.26.2 (for v3) or marshmallow==4.1.2 (for v4)
3. Restart all affected Python applications
4. Test functionality to ensure compatibility
🔧 Temporary Workarounds
Input validation and size limiting
allImplement request size limits and validate input data before passing to marshmallow
Rate limiting
allImplement rate limiting on endpoints using marshmallow deserialization
🧯 If You Can't Patch
- Implement strict request size limits (e.g., <1MB) on all endpoints using marshmallow
- Deploy WAF rules to detect and block suspicious serialization patterns
🔍 How to Verify
Check if Vulnerable:
Check installed version: python -c "import marshmallow; print(marshmallow.__version__)" and compare to affected rangesCheck Version:
python -c "import marshmallow; print(marshmallow.__version__)"Verify Fix Applied:
Verify version is 3.26.2 or higher for v3, or 4.1.2 or higher for v4📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage on marshmallow endpoints
- Request timeouts on deserialization endpoints
- Repeated requests with similar payloads
Network Indicators:
- Multiple requests to marshmallow endpoints with moderate payload sizes
- Spike in request volume to serialization endpoints
SIEM Query:
source="application.logs" AND (message="marshmallow" OR message="Schema.load") AND (message="timeout" OR message="CPU" OR message="slow")