-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a denial of service in marshmallow when using Schema.load(many=True). This is caused by an inefficient implementation of the error merging logic that is triggered when validating a large number of objects that produce many validation errors.
The analysis of the patch d24a0c9df061c4daa92f71cf85aca25b83eee508 shows that the file src/marshmallow/error_store.py was modified to improve performance.
The function merge_errors was changed to merge lists and dictionaries in-place, avoiding the creation of new objects on each merge. For example, errors1 + errors2 which creates a new list, was replaced with errors1.extend(errors2). This repeated creation of new objects for a large number of errors is the root cause of the DoS.
The function ErrorStore.store_error is the one that calls merge_errors to accumulate the errors. Therefore, both functions would appear in a profile of an exploit, and both are part of the vulnerable logic. The entry point for a user is Schema.load(many=True), but the functions that consume disproportionate resources are merge_errors and its caller ErrorStore.store_error.
marshmallow.error_store.merge_errorssrc/marshmallow/error_store.py
marshmallow.error_store.ErrorStore.store_errorsrc/marshmallow/error_store.py
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| marshmallow | pip | >= 3.0.0rc1, < 3.26.2 | 3.26.2 |
| marshmallow | pip | >= 4.0.0, < 4.1.2 | 4.1.2 |
A Semantic Attack on Google Gemini - Read the Latest Research