You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JsonPickle 1.4.2 allows remote code execution during deserialization of a malicious payload through the decode() function.
Attack Vectors : The jsonpickle can be exploited by deserialization of malicious jsonpickled payload with default decode() function of its object. The payload can be easily generated by this payload generator: https://github.com/j0lt-github/python-deserialization-attack-payload-generator
and passed to decode function
like object = jsonpickle.decode(payload)
it will certainly execute command.
The text was updated successfully, but these errors were encountered:
This report was also sent to the project in Tidelift. I've responded there as well indicating that this is a known issue and that there's no known fix for this vulnerability. Recommend to close as wontfix.
JsonPickle 1.4.2 allows remote code execution during deserialization of a malicious payload through the decode() function.
Attack Vectors : The jsonpickle can be exploited by deserialization of malicious jsonpickled payload with default decode() function of its object. The payload can be easily generated by this payload generator:
https://github.com/j0lt-github/python-deserialization-attack-payload-generator
and passed to decode function
like object = jsonpickle.decode(payload)
it will certainly execute command.
The text was updated successfully, but these errors were encountered: