marshmallow

PyPI2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting marshmallowpage 1 of 1

CVE-2018-17175MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.0.0b9
2018-09-18
vulnerable: 0.1.0 ... 3.0.0b8 (84 versions)
In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fiel…
CVE-2025-68480MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.1.2
2025-12-22
vulnerable: 4.0.0, 4.0.1, 4.1.0, 4.1.1
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of ser…

Check whether marshmallow is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for marshmallow CVEs against the assets you own.

Start Free Scan →