Home > Vulnerability Database > CVE-2025-68480

Mend.io Vulnerability Database

CVE-2025-68480

Good to know:

Date: December 22, 2025

Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.

Severity Score

5.3

Related Resources (5)

Url: https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68480

Url: https://github.com/marshmallow-code/marshmallow

Url: https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5

Url: https://www.mend.io/vulnerability-database/CVE-2025-68480

Severity Score

5.3

Weakness Type (CWE)

Asymmetric Resource Consumption (Amplification)

CWE-405

Top Fix

Upgrade Version

Upgrade to version marshmallow - 3.26.2;marshmallow - 4.1.2;https://github.com/marshmallow-code/marshmallow.git - 4.1.2;https://github.com/marshmallow-code/marshmallow.git - 3.26.2

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68480

Good to know:

Date: December 22, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?