Primary

Context

EPyT-Flow Remote Code Execution Vulnerability via Unsafe JSON Deserialization

Vulnerability

A remote code execution vulnerability exists in EPyT-Flow versions prior to 0.16.1. The issue arises in the REST API, where attacker-controlled JSON request bodies are parsed using a custom deserializer that supports a type field. When the type field is present, the deserializer dynamically imports an attacker-specified module or class and instantiates it with provided arguments. This functionality can be exploited to invoke dangerous classes, such as subprocess.Popen, leading to OS command execution during JSON parsing. The vulnerability also affects the loading of JSON files.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where EPyT-Flow is running.

Remediation

EPyT-Flow has been patched in version 0.16.1. Users should update to this version. Additionally, it is recommended not to load JSON from untrusted sources and to avoid exposing the REST API.

Added: Feb 6, 2026, 9:24 PM

Updated: Feb 6, 2026, 10:08 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

2.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

2.8

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EPyT-Flow Remote Code Execution Vulnerability via Unsafe JSON Deserialization

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating