Google Protobuf Python Backdoor: CVE-2025-4565 Exposes Critical Recursion DoS Vulnerability

A critical security flaw in Google's Protocol Buffers (Protobuf) library, tracked as CVE-2025-4565, exposes countless Python applications to denial-of-service attacks. The vulnerability resides in the pure-Python backend, allowing an attacker to crash any service that parses untrusted Protobuf data by exploiting recursive structures. This is not a theoretical risk; it's a direct path to service disruption for any system accepting external serialized data.

The core of the exploit involves crafting malicious Protocol Buffers messages containing an arbitrary number of recursive groups, recursive messages, or a series of `SGROUP` tags. When the vulnerable Python parser encounters this crafted data, it exceeds the Python recursion limit, causing the interpreter to crash. The issue was reported by security researcher Alexis Challande of Trail of Bits, highlighting its severity. The fix is contained in the newly released Protobuf version 6.33.5, which patches the parsing logic to handle these edge cases safely.

The impact is broad and immediate. Protobuf is a foundational data serialization library used by millions of applications, from microservices and APIs to internal data pipelines. Any project using the pure-Python backend to parse data from untrusted sources—such as user inputs, network requests, or external APIs—is now vulnerable to a trivial DoS attack. This forces a mandatory, time-sensitive upgrade for development and security teams worldwide to version 6.33.5 or later to mitigate the risk before exploits become widespread.