Description

DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.

INFO

Published Date :

2025-09-05T21:52:31.743Z

Last Modified :

2025-09-08T20:08:37.812Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58367 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58367.

URL Resource
https://github.com/seperman/deepdiff/commit/c69c06c13f75e849c770ade3f556cd16209fd183 cve-icon cve-icon
https://github.com/seperman/deepdiff/releases/tag/8.6.1 cve-icon cve-icon
https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability