GHSA-74vm-8frp-7w68: EPyT-Flow vulnerable to unsafe JSON deserialization (type)

February 4, 2026

EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files.

References

github.com/WaterFutures/EPyT-Flow
github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
github.com/advisories/GHSA-74vm-8frp-7w68

Code Behaviors & Features

Detect and mitigate GHSA-74vm-8frp-7w68 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →