Marshmallow has DoS in Schema.load(many)

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

# Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

References

deckar01 published to marshmallow-code/marshmallow Dec 22, 2025

Published to the GitHub Advisory Database Dec 22, 2025

Reviewed Dec 22, 2025

Published by the National Vulnerability Database Dec 22, 2025

Last updated Dec 23, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Asymmetric Resource Consumption (Amplification)

CVE ID

GHSA ID

Source code

Uh oh!