Am-Periphery

**Name of the Vulnerable Software and Affected Versions** DeepDiff versions 5.0.0 through 8.6.1 **Description** DeepDiff is a Python project for deep difference and search of data. The pickle unpickler ` RestrictedUnpickler` validates which classes can be loaded but does not limit their constructor arguments. Certain types within `SAFE TO IMPORT` (like `builtins.bytes`, `builtins.list`, and `builtins.range`) have constructors that allocate memory proportional to their input. A small, 40-byte pickle payload can trigger the allocation of over 10 GB of memory, potentially crashing applications that load delta objects or use `pickle load` with untrusted data. This can be exploited in two ways: during `pickle load` by calling `bytes(N)` with a large `N`, or during delta application by manipulating values and types. The amplification factor can be significant, reaching up to 2,000,000x. This issue results in a denial of service. **Recommendations** DeepDiff versions prior to 8.6.2 are affected. Update to DeepDiff version 8.6.2 or later.