diff -Naur marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/marshmallow/schema.py marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/marshmallow/schema.py
--- marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/marshmallow/schema.py	2015-08-23 17:31:05.000000000 +0200
+++ marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/marshmallow/schema.py	2018-09-21 14:40:18.997634163 +0200
@@ -339,7 +339,7 @@
         """
         pass
 
-    def __init__(self, extra=None, only=(), exclude=(), prefix='', strict=False,
+    def __init__(self, extra=None, only=None, exclude=(), prefix='', strict=False,
                  many=False, context=None, load_only=(), dump_only=()):
         # copy declared fields from metaclass
         self.declared_fields = copy.deepcopy(self._declared_fields)
@@ -668,7 +668,7 @@
 
     def _update_fields(self, obj=None, many=False):
         """Update fields based on the passed in object."""
-        if self.only:
+        if self.only is not None:
             # Return only fields specified in fields option
             field_names = self.set_class(self.only)
         elif self.opts.fields:
diff -Naur marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/tests/test_schema.py marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/tests/test_schema.py
--- marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/tests/test_schema.py	2015-08-23 17:31:05.000000000 +0200
+++ marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/tests/test_schema.py	2018-09-21 14:37:04.100516852 +0200
@@ -1284,6 +1284,12 @@
         }
         assert errors == expected
 
+def test_only_empty():
+    class MySchema(Schema):
+        foo = fields.Field()
+
+    sch = MySchema(only=())
+    assert 'foo' not in sch.dump({'foo': 'bar'})
 
 class TestPreprocessors: