CVE-2025-4565 Overview
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of Service by crashing the application with a RecursionError. We recommend upgrading to version >= 6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901.
Critical Impact
Exploiting this vulnerability can lead to application crashes, causing Denial of Service.
Affected Products
- google protobuf-python
- Not Available
- Not Available
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to google
- Not Available - CVE CVE-2025-4565 assigned
- Not Available - google releases security patch
- 2025-06-16 - CVE CVE-2025-4565 published to NVD
- 2025-08-14 - Last updated in NVD database
Technical Details for CVE-2025-4565
Vulnerability Analysis
This vulnerability is categorized under Denial of Service due to the improper handling of recursive Protocol Buffers data. By exploiting the recursion limit in Python, attackers can cause a stack overflow resulting in RecursionError and subsequently crashing the application.
Root Cause
The root cause of this vulnerability stems from the lack of handling for deeply nested structures within the Protocol Buffers Python implementation, which leads to exceeding Python’s inherent recursion limit.
Attack Vector
Attackers can exploit this vulnerability remotely by sending specially crafted Protocol Buffers messages over a network.
# Example exploitation code (sanitized)
def trigger_recursion_error(data):
message.ParseFromString(data) # data is deeply nested Protocol Buffers
Detection Methods for CVE-2025-4565
Indicators of Compromise
- Unexpected application crashes
- Logs containing RecursionError
- Abnormal application memory usage patterns
Detection Strategies
Monitoring for excessive and unexpected RecursionError exceptions in the application logs can indicate an attempted exploitation. Anomaly detection systems should be configured to alert on unusual recursion depths and stack usage.
Monitoring Recommendations
Implement logging and monitoring of application stack traces and stack depth. SentinelOne XDR can also be used to detect abnormal application terminations and error patterns.
How to Mitigate CVE-2025-4565
Immediate Actions Required
- Upgrade to protobuf-python version >= 6.31.1
- Implement input validation for Protocol Buffers
- Sanitize and limit nesting depth of Protocol Buffers messages
Patch Information
A patch is available at: Protobuf Patch
Workarounds
Set a limit on recursion depth for Python during runtime to mitigate the risk temporarily.
# Configuration example
ulimit -s 1024 # Limits stack size to prevent deep recursion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
