Bump marshmallow to 3.26.2 [SECURITY] by renovate[bot] · Pull Request #525 · rapydo/http-api

renovate · 2025-12-22T20:45:28Z

This PR contains the following updates:

Package	Change	Age	Confidence
marshmallow (changelog)	`==3.21.1` → `==3.26.2`

Marshmallow has DoS in Schema.load(many)

CVE-2025-68480 / GHSA-428g-f7cq-pgp5

More information

Details

Impact

Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time.

Patches

4.1.2, 3.26.2

Workarounds

##### Fail fast
def load_many(schema, data, **kwargs):
    if not isinstance(data, list):
        raise ValidationError(['Invalid input type.'])
    return [schema.load(item, **kwargs) for item in data]

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

marshmallow-code/marshmallow (marshmallow)

`v3.26.2`

Compare Source

Bug fixes:

:cve:2025-68480: Merge error store messages without rebuilding collections.
Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot changed the title ~~Bump marshmallow to 3.26.2 [SECURITY]~~ Bump marshmallow to 3.26.2 [SECURITY] - autoclosed Mar 27, 2026

renovate Bot closed this Mar 27, 2026

renovate Bot deleted the renovate/pypi-marshmallow-vulnerability branch March 27, 2026 01:57

renovate Bot changed the title ~~Bump marshmallow to 3.26.2 [SECURITY] - autoclosed~~ Bump marshmallow to 3.26.2 [SECURITY] Mar 30, 2026

renovate Bot reopened this Mar 30, 2026

renovate Bot force-pushed the renovate/pypi-marshmallow-vulnerability branch 2 times, most recently from 326f656 to 908d06a Compare March 30, 2026 17:35

renovate Bot changed the title ~~Bump marshmallow to 3.26.2 [SECURITY]~~ Bump marshmallow to 3.26.2 [SECURITY] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

Bump marshmallow to 3.26.2 [SECURITY]

c418f73

renovate Bot changed the title ~~Bump marshmallow to 3.26.2 [SECURITY] - autoclosed~~ Bump marshmallow to 3.26.2 [SECURITY] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/pypi-marshmallow-vulnerability branch 2 times, most recently from 908d06a to c418f73 Compare April 27, 2026 21:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump marshmallow to 3.26.2 [SECURITY]#525

Bump marshmallow to 3.26.2 [SECURITY]#525
renovate[bot] wants to merge 1 commit into
3.1from
renovate/pypi-marshmallow-vulnerability

renovate Bot commented Dec 22, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Dec 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Marshmallow has DoS in Schema.load(many)

Details

Impact

Patches

Workarounds

Severity

References

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Dec 22, 2025 •

edited

Loading