[Snyk:Medium] Asymmetric Resource Consumption (Amplification) (Due: 03/01/2026) #6447
Description
Overview
Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) via the Schema.load method of the error storage utility when handling input with the many parameter set to True. An attacker can cause excessive CPU consumption by submitting a moderately sized request, leading to resource exhaustion.
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 6.9 - Medium Severity | CVSS v3.1 5.3 - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Detailed paths and remediation
Introduced through: root@* › marshmallow@3.26.0
Fix: Upgrade marshmallow to version 3.26.2 or 4.1.2
Introduced through: root@* › flask-apispec@0.11.4 › marshmallow@3.26.0
Fix: Pin marshmallow to version 3.26.2 or 4.1.2
Introduced through: root@* › marshmallow-sqlalchemy@1.4.2 › marshmallow@3.26.0
Fix: Pin marshmallow to version 3.26.2 or 4.1.2
Introduced through: root@* › webargs@8.7.1 › marshmallow@3.26.0
Fix: Pin marshmallow to version 3.26.2 or 4.1.2
Introduced through: root@* › flask-apispec@0.11.4 › webargs@8.7.1 › marshmallow@3.26.0
Fix: Pin marshmallow to version 3.26.2 or 4.1.2
Introduced through
marshmallow@3.26.0, flask-apispec@0.11.4 and others
Fixed in marshmallow@3.26.2, @4.1.2
Completion criteria
- Upgrade marshmallow to remediate security vulnerability