PT-2026-53422 · Pypi · Epyt-Flow

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Impact

EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my load from json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files.

Patches

EPyT-Flow has been patched in 0.16.1 -- affects all versions <= 0.16.0

Workarounds

Do not load any JSON from untrusted sources and do not expose the REST API.

Credits

EPyT-Flow thanks Jarrett Chan (@syphonetic) for detecting and reporting the bug.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-330

Affected Products

Epyt-Flow