CVE-2025-4565: 
Python vulnerability analysis and mitigation

CVE-2025-4565 is a vulnerability in the Protobuf Pure-Python backend that affects projects parsing untrusted Protocol Buffers data. The vulnerability was discovered and disclosed on June 16, 2025, affecting any project that uses the Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing recursive elements (NVD, Wiz).

The vulnerability stems from uncontrolled recursion (CWE-674) when parsing Protocol Buffers data containing recursive elements. When processing untrusted data with recursive structures, including recursive groups, recursive messages, or a series of SGROUP tags, the parser can exceed the Python recursion limit, leading to a RecursionError. The vulnerability has been assigned a CVSS v4.0 score of 8.2 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD, Wiz).

When exploited, this vulnerability can result in a Denial of Service (DoS) condition by causing the application to crash with a RecursionError. This occurs when processing maliciously crafted Protocol Buffers data that contains excessive recursive structures (NVD, Wiz).

The recommended mitigation is to upgrade to version 6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901. The fix implements recursion depth limits in the pure Python implementation to prevent excessive recursion (NVD, GitHub Commit).