CVE-2025-4565: 
Python vulnerability analysis and mitigation

CVE-2025-4565 is a vulnerability in the Protobuf Pure-Python backend that affects projects parsing untrusted Protocol Buffers data. The vulnerability was disclosed on June 16, 2025, and impacts any project using the Protobuf Pure-Python backend. The issue occurs when parsing data containing an arbitrary number of recursive groups, recursive messages, or a series of SGROUP tags (NVD).

The vulnerability stems from uncontrolled recursion when parsing Protocol Buffers data containing recursive elements. When processing untrusted data with recursive structures, the parser can exceed the Python recursion limit, leading to a RecursionError. The vulnerability has been assigned a CVSS v4.0 score of 8.2 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-674 (Uncontrolled Recursion) (NVD).

When exploited, this vulnerability can result in a Denial of Service (DoS) condition by causing the application to crash with a RecursionError. This occurs when processing maliciously crafted Protocol Buffers data that contains excessive recursive structures (NVD).

The recommended mitigation is to upgrade to version 6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901. The fix implements recursion depth limits in the pure Python implementation to prevent excessive recursion (NVD, GitHub Commit).