CVE-2026-25632 in EPyT-Flow
Summary
by MITRE • 02/06/2026
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-25632 affects EPyT-Flow, a Python package used for generating hydraulic and water quality scenario data in water distribution networks. This security flaw exists in versions prior to 0.16.1 and stems from a dangerous implementation in the REST API's JSON parsing mechanism. The core issue lies in the custom deserializer function named my_load_from_json which processes attacker-controlled JSON request bodies. The deserializer specifically examines JSON objects for a type field that enables dynamic module and class loading capabilities, creating a path for arbitrary code execution through improper input validation and sanitization.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious JSON payload containing a type field that references dangerous Python modules or classes. When the vulnerable deserializer processes this input, it dynamically imports the specified module and instantiates the class with attacker-supplied arguments, effectively bypassing normal security boundaries. This dynamic import mechanism allows attackers to invoke classes such as subprocess.Popen, which can execute arbitrary operating system commands with the privileges of the running application. The vulnerability extends beyond just API requests to also affect the loading of JSON files, amplifying the attack surface and potential impact. The flaw represents a classic case of insecure deserialization where user input directly controls object instantiation and execution flow.
This vulnerability directly maps to CWE-502 which describes "Deserialization of Untrusted Data" and specifically relates to CWE-94 which covers "Improper Control of Generation of Code ('Code Injection')." The attack pattern follows the ATT&CK framework's technique T1059.001 for "Command and Scripting Interpreter: PowerShell" and T1059.007 for "Command and Scripting Interpreter: Python" when attackers leverage the dynamic import capabilities to execute malicious commands. The impact of this vulnerability is severe as it allows remote code execution on systems running affected versions of EPyT-Flow, potentially enabling attackers to gain full control over the affected system, access sensitive data, or disrupt water distribution network operations. The vulnerability affects critical infrastructure applications where water quality and hydraulic modeling are performed, making it particularly concerning for public utilities and industrial control systems.
Organizations using EPyT-Flow should immediately upgrade to version 0.16.1 or later to mitigate this vulnerability. System administrators should also implement network monitoring to detect potential exploitation attempts and consider implementing application firewalls or API gateways that can filter malicious JSON payloads before they reach the vulnerable deserializer. Additional mitigations include disabling unnecessary JSON file loading capabilities, implementing strict input validation for all JSON data, and conducting regular security assessments of third-party Python packages. The vulnerability demonstrates the importance of avoiding dynamic imports from untrusted sources and implementing proper sandboxing mechanisms when processing user-supplied data in Python applications.