Python Class Pollution Vulnerability in Django-Unicorn
CVE-2025-24370

9.3CRITICAL

Key Information:

Vendor: Adamghill
Status: Django-unicorn
Vendor: CVE Published:; 3 February 2025

Summary

Django-Unicorn, a library that enhances Django with reactive component functionality, is susceptible to a Python class pollution vulnerability. This flaw is associated with the set_property_value function, which can be exploited by attackers remotely. By crafting specific component requests, they can manipulate the second and third parameters of this function, ultimately leading to arbitrary modifications of the Python runtime environment. This vulnerability can be exploited in a multitude of ways, resulting in significant security risks, including Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in virtually every application based on Django-Unicorn. Users are urgently advised to update to version 0.62.0, as there are currently no workarounds for this issue.

Affected Version(s)

django-unicorn < 0.62.0

References

https://github.com/adamghill/django-unicorn/security/advi...

x_refsource_CONFIRM

https://github.com/adamghill/django-unicorn/commit/176142...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 3, 2025
Vulnerability Reserved
Jan 20, 2025