Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Search vulnerabilities and malicious packages across npm, PyPI, Go, GitHub Actions, VS Code, and more.

GHSA-428g-f7cq-pgp5

MEDIUM5.3

Marshmallow has DoS in Schema.load(many)

Published Dec 22, 2025

Modified 3 days ago

Fix available

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

# Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Affected Packages

PyPImarshmallow

Fixed in:

3.26.2

PyPImarshmallow

Fixed in:

4.1.2

References

ADVISORYhttps://github.com/advisories/GHSA-428g-f7cq-pgp5 PACKAGEhttps://github.com/marshmallow-code/marshmallow WEBhttps://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 WEBhttps://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68480

Aliases

CVE-2025-68480

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

LowA:L

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2025-68480

Ecosystems

PyPI

Timeline

PublishedDec 22, 2025

ModifiedDec 23, 2025

GHSA-428g-f7cq-pgp5 | Mondoo Vulnerability Intelligence

Mondoo Vulnerability Intelligence

GHSA-428g-f7cq-pgp5

Details

Impact

Patches

Workarounds

Affected Packages

References

Aliases

CVSS Analysis

Related

Ecosystems

Timeline