CVE-2025-4565

Publication date 16 June 2025

Last updated 9 July 2025

Ubuntu priority

Medium

Why this priority?

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

Status

Package Ubuntu Release Status
protobuf 25.04 plucky
Fixed 3.21.12-10ubuntu0.1
24.10 oracular Ignored end of life
24.04 LTS noble
Fixed 3.21.12-8.2ubuntu0.2
22.04 LTS jammy
Fixed 3.12.4-1ubuntu7.22.04.4
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty
Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
protobuf

References

Related Ubuntu Security Notices (USN)

    • USN-7629-1
    • Protocol Buffers vulnerabilities
    • 9 July 2025

Other references