CVE-2021-47952
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
The vulnerability in jsonpickle 2.0.0 allows remote code execution by deserializing malicious JSON payloads containing py/repr objects. An attacker can craft a specially prepared JSON that, during deserialization, invokes the eval function to execute arbitrary Python commands.
Risk Assessment
The risk for the organization includes the possibility of remote attackers taking control of the system, stealing data, or installing malware without authentication.
Recommendation
Immediately update the jsonpickle library to version 2.0.1 or later, which fixes this vulnerability. In the meantime, avoid deserializing untrusted JSON data.
Original NVD description (English source)
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

