seperman deepdiff up to 8.6.0 posix.system dynamically-determined object attributes
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in seperman deepdiff up to 8.6.0. It has been rated as critical. Affected is an unknown function in the library posix.system. Performing a manipulation results in dynamically-determined object attributes. This vulnerability is cataloged as CVE-2025-58367. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.
Details
A vulnerability, which was classified as critical, was found in seperman deepdiff up to 8.6.0. This affects an unknown function in the library posix.system. The manipulation with an unknown input leads to a dynamically-determined object attributes vulnerability. CWE is classifying the issue as CWE-915. The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization) exploitation. The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as posix.system, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to Delta is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. This is fixed in version 8.6.1.
It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2025-58367 since 08/29/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 264513 (openSUSE 15 Security Update : python-deepdiff (SUSE-SU-2025:03127-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 8.6.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch c69c06c13f75e849c770ade3f556cd16209fd183 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (264513) and EUVD (EUVD-2025-27049). Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Dynamically-determined object attributesCWE: CWE-915 / CWE-913
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 264513
Nessus Name: openSUSE 15 Security Update : python-deepdiff (SUSE-SU-2025:03127-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: deepdiff 8.6.1
Patch: c69c06c13f75e849c770ade3f556cd16209fd183
Timeline
08/29/2025 CVE reserved09/06/2025 Advisory disclosed
09/06/2025 VulDB entry created
09/11/2025 VulDB entry last update
Sources
Product: github.comAdvisory: GHSA-mw26-5g2v-hqw3
Status: Confirmed
CVE: CVE-2025-58367 (🔒)
GCVE (CVE): GCVE-0-2025-58367
GCVE (VulDB): GCVE-100-322959
EUVD: 🔒
Entry
Created: 09/06/2025 09:22Updated: 09/11/2025 20:57
Changes: 09/06/2025 09:22 (70), 09/06/2025 19:21 (1), 09/11/2025 20:57 (2)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.