Hi,

The following vulnerability was published for python-marshmallow.

CVE-2025-68480[0]:
| Marshmallow is a lightweight library for converting complex objects
| to and from simple Python datatypes. In versions from 3.0.0rc1 to
| before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data,
| many=True) is vulnerable to denial of service attacks. A moderately
| sized request can consume a disproportionate amount of CPU time.
| This issue has been patched in version 3.26.2 and 4.1.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-68480
https://www.cve.org/CVERecord?id=CVE-2025-68480
[1] https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Dear maintainer,

I've prepared an NMU for python-marshmallow (versioned as 3.26.2-0.1)
and uploaded it to DELAYED/2. Please feel free to tell me if I should
cancel it.

cu
Adrian

We believe that the bug you reported is fixed in the latest version of
python-marshmallow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1123888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated python-marshmallow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 23:27:50 +0300
Source: python-marshmallow
Architecture: source
Version: 3.26.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Federico Ceratto <federico@debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1123888
Changes:
 python-marshmallow (3.26.2-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2025-68480: DoS with Schema.load(many)  (Closes: #1123888)
Checksums-Sha1:
 431f377fa695543167738608d6a9cf3779ab855a 2541 python-marshmallow_3.26.2-0.1.dsc
 4723ed1ab4eb781c8944bba927dcb0d6c9b9d6fc 228719 python-marshmallow_3.26.2.orig.tar.gz
 551c5ab54606fb28e2cc3aefc6572e84f08c11e0 4932 python-marshmallow_3.26.2-0.1.debian.tar.xz
Checksums-Sha256:
 84b55fe7cc6505d4d408bf246ec7534da9923c34092b603bfa144b44662a6b2b 2541 python-marshmallow_3.26.2-0.1.dsc
 e7ef0de731e51668a6ea5c05cfc8faabd51a1d0d9f75bd3ee0d17009134cbce4 228719 python-marshmallow_3.26.2.orig.tar.gz
 2bf5c80c4063f321dcf896d900bec0ea4902833d719054db329cdf16db6dbdb6 4932 python-marshmallow_3.26.2-0.1.debian.tar.xz
Files:
 84d4e45fed6292fb604a8ca6eb7cc078 2541 python optional python-marshmallow_3.26.2-0.1.dsc
 e46d5bed6abece9454c32f0978b67118 228719 python optional python-marshmallow_3.26.2.orig.tar.gz
 895cef4dfb4bbbc5c161722c07218f84 4932 python optional python-marshmallow_3.26.2-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo67wcACgkQiNJCh6LY
mLH6SQ//SgF3d4yduSZ9kPP7pIKyTK7/01SIHeK+Nz32axtFJASdAasXA0DD7bnM
jYdSw66mc1HSWyxVXpFxGh/eVrNlZy58DK7F6Gxzfjejq8dDqq2H7nF83K8XTsap
1i3qv92I4ElD8GZtEX5WxIoydQy6xj/KJiEQYkVNhSuEwGQGrNoYsQv9kOs9+0IZ
AbyYFjYkvCJF3z2cCFAz7URx6+KhCOnnd8XUerLpPOZoy0LkTODsKxBuz2MHmXzi
ATgVj1tX3IVWTDs66pP+2Kdq0oxTJz/UNh1buxLZVRMn9waLp3aRzueaI3BCkMQu
WiyCPa0Z6UhOxM8wdxpUEgHzlMiCWL5pKviZT86ZQYJmQgx6rbbnRanhqYh7SDlH
aiGGs0YfKspB03HwfcvC9g7FWBpeV8VmSbc/CsBQXXBy38ljG/xbZGapg4d0Fjjk
anG5VjFN4vFC7q9rA4Afor1kbDvBAsQGRcHmrFEiY5YhWphFY1q5VTXuW/0L1btA
+TCMm9jMF7tWbCKjIPlwdsFk1Uv72g1fVmAP6MNR4Trybe6DZ4enUfKN70AFOuVU
HCckVA0BjjZR3JThSnOGFzNfNMbE8JBMUpsBoP7esUpDR2WPKw/wqAM6O8dcq1/m
GGjR+un9Rsn7UqX8T1T7HdJ7YCIrSjoY0GgsJxFkV4Ar0WDoBoA=
=BzAw
-----END PGP SIGNATURE-----