PT-2026-44444 · Pypi · Graphitedb
Published
2026-05-18
·
Updated
2026-05-18
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Impact
Type of vulnerability: Insecure Deserialization via Python's
pickle module.Who is impacted:
Users of Graphite graph database engine versions before 0.2 who load database files from untrusted or third-party sources.
An attacker could craft a malicious database file that executes arbitrary code when loaded by the engine. This is possible because the engine used
pickle for serialization, which is known to be unsafe for untrusted data.Patches
The vulnerability has been patched starting from version 0.2.
All users should upgrade to version 0.2 or later (the current version is 0.4 at publishing time).
In version 0.2 and above, the engine uses JSON instead of
pickle for database storage, eliminating the deserialization risk.Workarounds
If users cannot upgrade immediately:
- Do not load database files from untrusted or unknown sources when using versions <0.2.
- Migrate existing pickle-based databases to the new JSON format using the provided migration module:
python
from graphite.Migration import convert pickle to json
convert pickle to json("path/to/old database.pkl", "path/to/new database.json")After migration, you can safely use the database with version 0.2+.
Note: Versions 0.2 and later will show a warning when attempting to load legacy pickle files, reminding you to migrate them. Also, you can't load pickle files in 0.2 and later.
Resources
- Upgrade to v0.2 or newer
- Migration guide: See
graphite.Migrationmodule documentation - More on pickle security: Python docs – pickle security
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Graphitedb