CVE-2025-69872
published 2026-02-11CVE-2025-69872: DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.6th percentile
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | diskcache | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect insecure pickle deserialization in python-diskcache: monitor for unexpected pickle file writes to cache directories used by applications leveraging python-diskcache through version 5.6.3 ↗
- →Scope of exploitation is local — focus detection on local file system access controls and monitoring of cache directory write events by untrusted users or processes ↗
- →Impact is scoped to the user running the tool — monitor for privilege-level process spawning from applications that read python-diskcache cache files, particularly under service accounts ↗
- ·python-diskcache uses Python pickle serialization by default — applications must explicitly opt out of pickle to avoid exposure; no patch is available as of the advisory ↗
- ·Red Hat states no viable mitigation is currently available meeting their deployment and ease-of-use criteria ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DiskCache up to 5.6.3 Cache Directory code injection (Nessus ID 298789)
vuldb·2026-07-01·CVSS 9.8
CVE-2025-69872 [CRITICAL] DiskCache up to 5.6.3 Cache Directory code injection (Nessus ID 298789)
A vulnerability has been found in DiskCache up to 5.6.3 and classified as critical. This vulnerability affects unknown code of the component Cache Directory Handler. Performing a manipulation results in code injection.
This vulnerability is cataloged as CVE-2025-69872. The attack must be initiated from a local position. There is no exploit available.
GHSA
DiskCache has unsafe pickle deserialization
ghsa·2026-02-11
CVE-2025-69872 [MEDIUM] CWE-502 DiskCache has unsafe pickle deserialization
DiskCache has unsafe pickle deserialization
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
OSV
DiskCache has unsafe pickle deserialization
osv·2026-02-11
CVE-2025-69872 [MEDIUM] DiskCache has unsafe pickle deserialization
DiskCache has unsafe pickle deserialization
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
OSV
CVE-2025-69872: DiskCache (python-diskcache) through 5
osv·2026-02-11·CVSS 9.8
CVE-2025-69872 [CRITICAL] CVE-2025-69872: DiskCache (python-diskcache) through 5
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
Red Hat
python-diskcache: python-diskcache: Arbitrary code execution via insecure pickle deserialization
vendor_redhat·2026-02-11·CVSS 9.8
CVE-2025-69872 [CRITICAL] CWE-502 python-diskcache: python-diskcache: Arbitrary code execution via insecure pickle deserialization
python-diskcache: python-diskcache: Arbitrary code execution via insecure pickle deserialization
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
A deserialization flaw was found in python-diskcache. This component uses Python pickle for serialization by default. An attacker with write access to the cache directory can exploit this vulnerability to achieve arbitrary code execution when a victim application reads from the cache. The impact of this flaw is scoped to the user running the tool.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat
Debian
CVE-2025-69872: diskcache - DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization ...
vendor_debian·2025·CVSS 9.8
CVE-2025-69872 [CRITICAL] CVE-2025-69872: diskcache - DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization ...
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69872-DiskCache-Pickle-Deserialization.mdhttps://github.com/grantjenks/python-diskcachehttps://access.redhat.com/errata/RHSA-2026:3713https://access.redhat.com/security/cve/CVE-2025-69872https://bugzilla.redhat.com/show_bug.cgi?id=2439059https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-69872.json
2026-02-11
Published