📂 Vulnerable Library - protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/c7/df/ec3ecb8c940b36121c7b77c10acebf3d1c736498aa2f1fe3b6231ee44e76/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Path to dependency file: /flink-python/dev/dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251002033051_JHZQXU/python_ZCSUOA/20251002033052/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2025-4565 |
🔴 High |
8.2 |
Not Defined |
< 1% |
protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl |
Direct |
N/A |
❌ |
 Reachable |
Details
🔴CVE-2025-4565
Vulnerable Library - protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/c7/df/ec3ecb8c940b36121c7b77c10acebf3d1c736498aa2f1fe3b6231ee44e76/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Path to dependency file: /flink-python/dev/dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251002033051_JHZQXU/python_ZCSUOA/20251002033052/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Dependency Hierarchy:
-
❌ protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
-
apache_beam-2.43.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Root Library)
- ❌ protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
-
grpcio_tools-1.46.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Root Library)
- ❌ protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- flink/flink-python/pyflink/fn_execution/flink_fn_execution_pb2.py (Application)
-> ❌ protobuf-3.20.3/google/protobuf/message.py (Vulnerable Component)
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: Jun 16, 2025 02:50 PM
URL: CVE-2025-4565
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
📂 Vulnerable Library - protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/c7/df/ec3ecb8c940b36121c7b77c10acebf3d1c736498aa2f1fe3b6231ee44e76/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Path to dependency file: /flink-python/dev/dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251002033051_JHZQXU/python_ZCSUOA/20251002033052/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Findings
Details
🔴CVE-2025-4565
Vulnerable Library - protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/c7/df/ec3ecb8c940b36121c7b77c10acebf3d1c736498aa2f1fe3b6231ee44e76/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Path to dependency file: /flink-python/dev/dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251002033051_JHZQXU/python_ZCSUOA/20251002033052/protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl
Dependency Hierarchy:
❌ protobuf-3.20.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl (Vulnerable Library)
apache_beam-2.43.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Root Library)
grpcio_tools-1.46.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: Jun 16, 2025 02:50 PM
URL: CVE-2025-4565
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :