ERC Emotion Recognition in Conversation Insecure Deserialization Vulnerability

A vulnerability allowing insecure deserialization has been identified in the ERC (Emotion Recognition in Conversation) library, through version 0.3. This issue arises from the use of jsonpickle, which facilitates the deserialization of user input without proper validation, potentially leading to the execution of arbitrary code.

Impact

Exploitation of this vulnerability could allow for arbitrary code execution, as insecure deserialization can be manipulated to execute malicious payloads.

Reproduction

The vulnerability can be reproduced by submitting a serialized Python object via JSON to an application using the affected version of the ERC library. The deserialization process, handled by jsonpickle, does not validate the input properly, creating an opportunity for exploitation.

Remediation

The vulnerability has been addressed by removing the jsonpickle dependency and implementing input validation and error handling. Users should update to the latest version of the ERC library where this fix is applied.