CVE-2021-47952

Summary

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

Affected Software

VendorProductVersion RangeStatus
Jsonpicklepython jsonpickle2.0.0affected

Weaknesses

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

python-jsonpickle: python-jsonpickle: Arbitrary Code Execution via Malicious JSON Deserialization

Additional References

References