CVE Catalog

CVE-2021-47952

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.70%

48th percentile — higher than 48% of all known CVEs

Summary

The vulnerability in jsonpickle 2.0.0 allows remote code execution by deserializing malicious JSON payloads containing py/repr objects. An attacker can craft a specially prepared JSON that, during deserialization, invokes the eval function to execute arbitrary Python commands.

Risk Assessment

The risk for the organization includes the possibility of remote attackers taking control of the system, stealing data, or installing malware without authentication.

Recommendation

Immediately update the jsonpickle library to version 2.0.1 or later, which fixes this vulnerability. In the meantime, avoid deserializing untrusted JSON data.

Original NVD description (English source)

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS