CVE-2025-4565

Publication date 16 June 2025

Last updated 16 September 2025

Ubuntu priority

Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
protobuf	25.04 plucky	Fixed 3.21.12-10ubuntu0.1
	24.10 oracular	Ignored end of life
	24.04 LTS noble	Fixed 3.21.12-8.2ubuntu0.2
	22.04 LTS jammy	Fixed 3.12.4-1ubuntu7.22.04.4
	20.04 LTS focal	Fixed 3.6.1.3-2ubuntu5.2+esm2
	18.04 LTS bionic	Fixed 3.0.0-9.1ubuntu1.1+esm3
	16.04 LTS xenial	Fixed 2.6.1-1.3ubuntu0.1~esm4
	14.04 LTS trusty	Ignored changes too intrusive

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

john-breton

trusty is on 2.5.0, changes too involved to risk backporting

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
protobuf	Upstream: 17838be

References

Related Ubuntu Security Notices (USN)

USN-7629-1
Protocol Buffers vulnerabilities
9 July 2025

USN-7629-2
Protocol Buffers vulnerabilities
2 September 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2025-4565