Impact
EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a
custom deserializer (my_load_from_json) that supports a type field.
When type is present, the deserializer dynamically imports an
attacker-specified module/class and instantiates it with attacker-supplied
arguments. This allows invoking dangerous classes such as subprocess.Popen,
which can lead to OS command execution during JSON parsing.
This also affects the loading of JSON files.
Patches
Has been patched in 0.16.1 -- affects all versions <= 0.16.0
Workarounds
Do not load any JSON from untrusted sources and do not expose the REST API.
Credits
Thanks to Jarrett Chan (@syphonetic) for detecting and reporting the bug.
syphonetic Reporter
Impact
EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a
custom deserializer (my_load_from_json) that supports a type field.
When type is present, the deserializer dynamically imports an
attacker-specified module/class and instantiates it with attacker-supplied
arguments. This allows invoking dangerous classes such as subprocess.Popen,
which can lead to OS command execution during JSON parsing.
This also affects the loading of JSON files.
Patches
Has been patched in 0.16.1 -- affects all versions <= 0.16.0
Workarounds
Do not load any JSON from untrusted sources and do not expose the REST API.
Credits
Thanks to Jarrett Chan (@syphonetic) for detecting and reporting the bug.