CRITICAL🇵🇱 Wersja polska

CVE-2025-58367

CVSS 10.0v4.0pub. 2025-09-05upd. 2026-04-15

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.

🤖 AI Analysis
How it works

The attacker exploits the class pollution vulnerability in the Delta class constructor to modify the `deepdiff.serialization.SAFE_TO_IMPORT` variable by adding unsafe classes such as `posix.system` to it. Subsequently, using a gadget available in DeepDiff, an unsafe Pickle deserialization process is performed via the Delta class. If input data passed to the Delta class is controlled by the user, it is possible to execute arbitrary Python code. Depending on the context of the application using DeepDiff, the exploit may also open the way to other vulnerabilities.

Impact

An attacker can execute arbitrary Python code on the server (RCE) or cause service unavailability (DoS). In a full compromise scenario, it is possible to gain complete control over the system running the vulnerable application.

Mitigation & patch

The DeepDiff library should be updated to version 8.6.1, in which the vulnerability has been fixed. The patch is available in the official project repository on GitHub (commit c69c06c13f75e849c770ade3f556cd16209fd183). Until the update is applied, ensure that no data from untrusted sources is passed to the Delta class constructor.

Who is affected

The Python library DeepDiff in versions 5.0.0 to 8.6.0 inclusive. It affects all applications that pass user-controlled data to the Delta class of the DeepDiff library.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoSDeserialization
CWE
References