SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-4565

CVE-2025-4565: Protobuf-Python DoS Vulnerability

CVE-2025-4565 is a denial of service vulnerability in Google Protobuf-Python that allows attackers to crash applications through recursive data structures. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-4565 Overview

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of Service by crashing the application with a RecursionError. We recommend upgrading to version >= 6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901.

Critical Impact

Exploiting this vulnerability can lead to application crashes, causing Denial of Service.

Affected Products

  • google protobuf-python
  • Not Available
  • Not Available

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to google
  • Not Available - CVE CVE-2025-4565 assigned
  • Not Available - google releases security patch
  • 2025-06-16 - CVE CVE-2025-4565 published to NVD
  • 2025-08-14 - Last updated in NVD database

Technical Details for CVE-2025-4565

Vulnerability Analysis

This vulnerability is categorized under Denial of Service due to the improper handling of recursive Protocol Buffers data. By exploiting the recursion limit in Python, attackers can cause a stack overflow resulting in RecursionError and subsequently crashing the application.

Root Cause

The root cause of this vulnerability stems from the lack of handling for deeply nested structures within the Protocol Buffers Python implementation, which leads to exceeding Python’s inherent recursion limit.

Attack Vector

Attackers can exploit this vulnerability remotely by sending specially crafted Protocol Buffers messages over a network.

python
# Example exploitation code (sanitized)
def trigger_recursion_error(data):
    message.ParseFromString(data) # data is deeply nested Protocol Buffers

Detection Methods for CVE-2025-4565

Indicators of Compromise

  • Unexpected application crashes
  • Logs containing RecursionError
  • Abnormal application memory usage patterns

Detection Strategies

Monitoring for excessive and unexpected RecursionError exceptions in the application logs can indicate an attempted exploitation. Anomaly detection systems should be configured to alert on unusual recursion depths and stack usage.

Monitoring Recommendations

Implement logging and monitoring of application stack traces and stack depth. SentinelOne XDR can also be used to detect abnormal application terminations and error patterns.

How to Mitigate CVE-2025-4565

Immediate Actions Required

  • Upgrade to protobuf-python version >= 6.31.1
  • Implement input validation for Protocol Buffers
  • Sanitize and limit nesting depth of Protocol Buffers messages

Patch Information

A patch is available at: Protobuf Patch

Workarounds

Set a limit on recursion depth for Python during runtime to mitigate the risk temporarily.

bash
# Configuration example
ulimit -s 1024 # Limits stack size to prevent deep recursion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne