PT-2025-36336 · Deepdiff · Deepdiff
Diogotcorreia
·
Published
2025-09-03
·
Updated
2025-09-08
·
CVE-2025-58367
10
Critical
| Base vector | Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions:
DeepDiff versions 5.0.0 through 8.6.0
Description:
DeepDiff is a Python project for deep difference and search of data. Versions 5.0.0 through 8.6.0 are susceptible to class pollution through the `Delta` class constructor. When combined with a gadget in `DeltaDiff`, this can lead to Denial of Service and Remote Code Execution via insecure Pickle deserialization. The gadget allows modification of `deepdiff.serialization.SAFE TO IMPORT` to permit dangerous classes, such as `posix.system`, enabling the execution of arbitrary Python code through user-controlled input to the `Delta` class.
Recommendations:
Update to DeepDiff version 8.6.1 or later.
Fix
DoS
RCE
Weakness Enumeration
Related Identifiers
Affected Products
References · 13
- https://osv.dev/vulnerability/GHSA-mw26-5g2v-hqw3 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-58367 · Security Note
- https://github.com/seperman/deepdiff⭐ 2368 🔗 246 · Note
- https://github.com/seperman/deepdiff/releases/tag/8.6.1⭐ 2366 🔗 246 · Note
- https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3⭐ 2366 🔗 246 · Note
- https://github.com/seperman/deepdiff/commit/c69c06c13f75e849c770ade3f556cd16209fd183⭐ 2366 🔗 246 · Note
- https://github.com/dgilland/pydash/issues/180⭐ 1399 🔗 93 · Note
- https://github.com/dgilland/pydash/commit/2015f0a4bcdbc3a5b27652e38fe97b3ee13ac15f⭐ 1399 🔗 93 · Note
- https://t.me/canyoupwnme/6917 · Telegram Post
- https://twitter.com/CCBalert/status/1965149059603124590 · Twitter Post
- https://twitter.com/CVEnew/status/1964195413587874223 · Twitter Post
- https://t.me/CVEtracker/31830 · Telegram Post
- https://twitter.com/cypmsecnews/status/1964119198898036771 · Twitter Post