Headline
GHSA-428g-f7cq-pgp5: Marshmallow has DoS in Schema.load(many)
Impact
Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.
Patches
4.1.2, 3.26.2
Workarounds
# Fail fast
def load_many(schema, data, **kwargs):
if not isinstance(data, list):
raise ValidationError(['Invalid input type.'])
return [schema.load(item, **kwargs) for item in data]
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-68480
Marshmallow has DoS in Schema.load(many)
Package
pip marshmallow (pip)
Affected versions
>= 3.0.0rc1, < 3.26.2
>= 4.0.0, < 4.1.2
Patched versions
3.26.2
4.1.2
Description
Impact
Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.
Patches
4.1.2, 3.26.2
Workarounds
# Fail fast def load_many(schema, data, **kwargs): if not isinstance(data, list): raise ValidationError([‘Invalid input type.’]) return [schema.load(item, **kwargs) for item in data]
References
- GHSA-428g-f7cq-pgp5
- marshmallow-code/marshmallow@d24a0c9
Published to the GitHub Advisory Database
Dec 22, 2025
Last updated
Dec 22, 2025
EPSS score