GHSA-428g-f7cq-pgp5
Denial of Service vulnerability in marshmallow (PyPI)
What is GHSA-428g-f7cq-pgp5 About?
This vulnerability is a Denial of Service attack against the `Schema.load(data, many=True)` function. It allows attackers to consume a disproportionate amount of CPU time with a moderately sized request, leading to service disruption. Exploitation appears relatively easy, requiring only a crafted input.
Affected Software
- marshmallow
- >=4.0.0, <4.1.2
- >=3.0.0rc1, <3.26.2
Technical Details
The vulnerability resides within the Schema.load(data, many=True) method. When this method is invoked with a malicious or specifically crafted input data, even if moderately sized, it triggers an inefficient processing path that causes the CPU to perform excessive computations. This resource exhaustion is likely due to algorithmic complexity issues, potentially related to parsing, validation, or serialization of large or deeply nested data structures, especially when the many=True flag is used, indicating an expectation of multiple items. An attacker can craft a request that, when processed by this function, enters into a computationally intensive loop or operation, thus consuming significant CPU cycles and rendering the service unavailable for legitimate users. The attack vector is direct data input to the vulnerable function.
What is the Impact of GHSA-428g-f7cq-pgp5?
Successful exploitation may allow attackers to cause resource exhaustion, leading to service unavailability or degraded performance for legitimate users. This can result in a complete denial of service for the affected application or system.
What is the Exploitability of GHSA-428g-f7cq-pgp5?
Exploitation of this vulnerability is likely of low complexity, requiring an attacker to send a specific type of request containing crafted data. There are no apparent authentication or specific privilege requirements, meaning an unauthenticated, remote attacker can potentially trigger this vulnerability by simply submitting data to an endpoint that utilizes the affected Schema.load function. The primary risk factor increasing exploitation likelihood is the direct exposure of an application using the vulnerable Schema.load(data, many=True) method to user-supplied input, as attackers can easily craft and send the disruptive data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-428g-f7cq-pgp5?
Available Upgrade Options
- marshmallow
- >=3.0.0rc1, <3.26.2 → Upgrade to 3.26.2
- marshmallow
- >=4.0.0, <4.1.2 → Upgrade to 4.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to GHSA-428g-f7cq-pgp5?
Similar Vulnerabilities: CVE-2022-29217 , CVE-2021-3807 , CVE-2020-5398 , CVE-2019-1002005 , CVE-2018-1000136
