Vulnerability in DeepDiff Product by Seperman Leads to Remote Code Execution
CVE-2025-58367

10CRITICAL

Key Information:

Vendor

Seperman

Status
Deepdiff
Vendor
CVE Published:
5 September 2025

What is CVE-2025-58367?

DeepDiff, a tool for identifying differences within Python data, is susceptible to a vulnerability that allows for class pollution through its Delta class constructor. When exploited, it can lead to Denial of Service and Remote Code Execution due to insecure Pickle deserialization. Specifically, attackers can manipulate the deepdiff.serialization.SAFE_TO_IMPORT attribute to include unsafe classes, potentially enabling the execution of arbitrary Python code if user-controlled input is processed. This vulnerability affects all DeepDiff versions from 5.0.0 to 8.6.0 and has been resolved in version 8.6.1.

Affected Version(s)

deepdiff >= 5.0.0, < 8.6.1

References

https://github.com/seperman/deepdiff/security/advisories/...
x_refsource_CONFIRM
https://github.com/seperman/deepdiff/commit/c69c06c13f75e...
x_refsource_MISC
https://github.com/seperman/deepdiff/releases/tag/8.6.1
x_refsource_MISC

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58367 : Vulnerability in DeepDiff Product by Seperman Leads to Remote Code Execution