Primary

Context

jsonpickle Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in jsonpickle version 2.0.0. This issue allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads that include py/repr objects. The vulnerability arises because the eval function is invoked during the deserialization process, enabling the execution of system commands and arbitrary code. This issue is present in all versions of jsonpickle prior to 2.0.1.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where jsonpickle is used.

Reproduction

To reproduce this vulnerability, craft a JSON string that includes a py/repr directive with a payload that, when evaluated, executes a command or code snippet. Deserialize this crafted JSON using jsonpickles decode function. The payload will be executed on the server, demonstrating the remote code execution vulnerability.

Remediation

Users are advised to update to jsonpickle version 2.0.1 or later, where this vulnerability has been addressed.

Added: May 16, 2026, 4:29 PM

Updated: May 16, 2026, 4:29 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

6.0

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

7.5

exploitability

6.0

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jsonpickle Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

python jsonpickle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating