cvedb.io
CVE-2026-33155
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-20T21:17:15.910 · Last modified 2026-06-17T10:37:02.550

Summary

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.

Affected products

qluster — deepdiff

Does this affect you?

Add your gear to cvedb and we'll alert you only when qluster ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.