Volerion logoVolerion
Volerion logoVolerion

Marshmallow Library Denial-of-Service Vulnerability in Schema.load(many=True)

Vulnerability

A denial-of-service vulnerability has been identified in the Marshmallow library, specifically in versions 3.0.0rc1 prior to 3.26.2 and 4.0.0 prior to 4.1.2. The issue arises in the Schema.load(data, many=True) method, where a moderately sized request can lead to excessive CPU consumption. This vulnerability has been patched in Marshmallow versions 3.26.2 and 4.1.2.

Impact

Exploitation of this vulnerability can cause a significant increase in CPU usage, leading to potential performance degradation or service interruption.

Reproduction

To reproduce this vulnerability, send a request to a server using the Marshmallow library with a moderate amount of data. Ensure that the 'many' parameter is set to True when calling the 'Schema.load' method. The server should experience a disproportionate increase in CPU usage, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to Marshmallow versions 3.26.2 or 4.1.2 to address this vulnerability.

Added: Dec 22, 2025, 10:53 PM
Updated: Dec 22, 2025, 10:53 PM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
2.5
exploitability
5.7
remediation
8.3
relevance
1.6
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.