CVE-2025-58367
published 2025-09-05CVE-2025-58367: DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta…
PriorityP262critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.06%
60.2th percentile
DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | deepdiff | < deepdiff 8.6.1-1 (forky) | deepdiff 8.6.1-1 (forky) |
| seperman | deepdiff | — | — |
| seperman | deepdiff | >= 0 < 8.6.1-1 | 8.6.1-1 |
| seperman | deepdiff | >= 5.0.0 < 8.6.2 | 8.6.2 |
| seperman | deepdiff | >= 5.0.0 < 8.6.1 | 8.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for class pollution attempts targeting `deepdiff.serialization.SAFE_TO_IMPORT` — attacker-controlled input to the Delta class constructor can overwrite this allowlist to permit dangerous classes (e.g., posix.system) and trigger insecure Pickle deserialization leading to RCE. ↗
- →Flag any application passing user-controlled data directly into the DeepDiff `Delta` class constructor, as this is the exploitation entry point for both DoS and RCE via insecure Pickle deserialization. ↗
- →Audit installed DeepDiff versions 5.0.0 through 8.6.0 across all environments; these are the confirmed vulnerable range. Upgrade to 8.6.1 or the patched Debian package (8.6.1-1) to remediate. ↗
- ·Exploitation requires user-controlled input to reach the Delta class constructor. Applications that do not expose Delta to untrusted input are at significantly reduced risk, but the class pollution gadget in DeltaDiff may still be reachable indirectly depending on application architecture. ↗
- ·Debian bookworm, bullseye, and trixie remain unpatched as of the advisory; only forky and sid have resolved packages (8.6.1-1). Environments running these Debian releases should treat the vulnerability as open until official package updates are available. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa10.0CRITICAL
osv10.0CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
osv·2026-03-18·CVSS 10.0
CVE-2026-33155 [CRITICAL] DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
### Summary
The pickle unpickler `_RestrictedUnpickler` validates which classes can be loaded but does not limit their constructor arguments. A few of the types in `SAFE_TO_IMPORT` have constructors that allocate memory proportional to their input (`builtins.bytes`, `builtins.list`, `builtins.range`). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call `pickle_load` with untrusted data.
### Details
CVE-2025-58367 hardened the delta class against pollution and remote code execution by converting `SAFE_TO_IMPORT` to a `frozenset` and blocking traversal. `_RestrictedUnpickler.find_class` only gates which classes can be loaded. It doesn't intercept `REDUCE` opcodes or valid
GHSA
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
ghsa·2026-03-18·CVSS 10.0
CVE-2026-33155 [CRITICAL] CWE-400 DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
### Summary
The pickle unpickler `_RestrictedUnpickler` validates which classes can be loaded but does not limit their constructor arguments. A few of the types in `SAFE_TO_IMPORT` have constructors that allocate memory proportional to their input (`builtins.bytes`, `builtins.list`, `builtins.range`). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call `pickle_load` with untrusted data.
### Details
CVE-2025-58367 hardened the delta class against pollution and remote code execution by converting `SAFE_TO_IMPORT` to a `frozenset` and blocking traversal. `_RestrictedUnpickler.find_class` only gates which classes can be loaded. It doesn't intercept `REDUCE` opcodes or valid
OSV
CVE-2025-58367: DeepDiff is a project focused on Deep Difference and search of any Python data
osv·2025-09-05·CVSS 10.0
CVE-2025-58367 [CRITICAL] CVE-2025-58367: DeepDiff is a project focused on Deep Difference and search of any Python data
DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.
GHSA
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
ghsa·2025-09-03
CVE-2025-58367 [CRITICAL] CWE-915 DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
### Summary
[Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The `Delta` class is vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it can lead to Denial of Service and Remote Code Execution (via insecure [Pickle](https://docs.python.org/3/library/pickle.html) deserialization).
The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as `posix.system`, and then perform insecure Pickle deserialization via the Delta class. This potent
OSV
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
osv·2025-09-03
CVE-2025-58367 [CRITICAL] DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
### Summary
[Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The `Delta` class is vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it can lead to Denial of Service and Remote Code Execution (via insecure [Pickle](https://docs.python.org/3/library/pickle.html) deserialization).
The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as `posix.system`, and then perform insecure Pickle deserialization via the Delta class. This potent
Debian
CVE-2025-58367: deepdiff - DeepDiff is a project focused on Deep Difference and search of any Python data. ...
vendor_debian·2025·CVSS 10.0
CVE-2025-58367 [CRITICAL] CVE-2025-58367: deepdiff - DeepDiff is a project focused on Deep Difference and search of any Python data. ...
DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.
Scope:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-05
Published