216.73.217.80

CVE-2026-33155

· Published 20/03/2026 21:17 · Modified 20/03/2026 21:17

Labels: CVE-2026-33155 2026-03-20CVE-2026-33155CWE-400[email protected]

Essential information

Published
20/03/2026 21:17
Modified
20/03/2026 21:17
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
deepdiff / deepdiff cpe:2.3:a:deepdiff:deepdiff:5.0.0-8.6.2:*:*:*:*:*:*:*

References