PT-2026-44444 · Pypi · Graphitedb
Publicado
2026-05-18
·
Atualizado
2026-05-18
CVSS v3.1
7.8
Alta
| Vetor | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Impact
Type of vulnerability: Insecure Deserialization via Python's
pickle module.Who is impacted:
Users of Graphite graph database engine versions before 0.2 who load database files from untrusted or third-party sources.
An attacker could craft a malicious database file that executes arbitrary code when loaded by the engine. This is possible because the engine used
pickle for serialization, which is known to be unsafe for untrusted data.Patches
The vulnerability has been patched starting from version 0.2.
All users should upgrade to version 0.2 or later (the current version is 0.4 at publishing time).
In version 0.2 and above, the engine uses JSON instead of
pickle for database storage, eliminating the deserialization risk.Workarounds
If users cannot upgrade immediately:
- Do not load database files from untrusted or unknown sources when using versions <0.2.
- Migrate existing pickle-based databases to the new JSON format using the provided migration module:
python
from graphite.Migration import convert pickle to json
convert pickle to json("path/to/old database.pkl", "path/to/new database.json")After migration, you can safely use the database with version 0.2+.
Note: Versions 0.2 and later will show a warning when attempting to load legacy pickle files, reminding you to migrate them. Also, you can't load pickle files in 0.2 and later.
Resources
- Upgrade to v0.2 or newer
- Migration guide: See
graphite.Migrationmodule documentation - More on pickle security: Python docs – pickle security
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Graphitedb