CVE-2025-58367

CRITICAL EPSS 60.2%

Published Sep 5, 20259mo ago · Modified Jun 17, 20261w ago

10.0 CVSS 4.0

Critical

Published Sep 5, 2025 9mo ago

Last Modified Jun 17, 2026 1w ago

Description

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.

CVSS Details

Base Score

10.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

60.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-915

References 3

github.com https://github.com/seperman/deepdiff/commit/c69c06c13f75e849c770ade3f556cd16209fd183
github.com https://github.com/seperman/deepdiff/releases/tag/8.6.1
github.com https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.