APScheduler JSON and CBOR Serializer Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the JSONSerializer and CBORSerializer components of APScheduler, affecting all versions in the 3.10.x series and the 4.0.0a5 release. This vulnerability arises from insecure deserialization, where the unmarshal_object function allows arbitrary class instantiation and state injection by dynamically importing modules and invoking __setstate__ on any class available in the Python environment. An attacker can exploit this by sending a specially crafted JSON or CBOR payload to an application that utilizes these serializers.

Impact

Exploitation of this vulnerability allows for remote code execution in the context of the scheduler process, by instantiating arbitrary classes and injecting attacker-controlled data into them.

Reproduction

To reproduce this vulnerability, send a JSON or CBOR payload that includes the '_apscheduler_json' key. The value should be an array where the first element is a string reference to a class in the Python environment, and the second element is a dictionary containing the state to be injected. When the payload is deserialized, the JSONSerializer or CBORSerializer will invoke the unmarshal_object function, leading to the execution of the injected state via the class's __setstate__ method.