CVE-2026-25632: EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)
(updated )
EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files.
References
- github.com/WaterFutures/EPyT-Flow
- github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
- github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1
- github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
- github.com/advisories/GHSA-74vm-8frp-7w68
- nvd.nist.gov/vuln/detail/CVE-2026-25632
Code Behaviors & Features
Detect and mitigate CVE-2026-25632 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →