DeepDiff Memory Exhaustion Denial-of-Service Vulnerability in Pickle Unpickler

A denial-of-service vulnerability has been identified in DeepDiff versions 5.0.0 prior to 8.6.2. The issue arises in the pickle unpickler `_RestrictedUnpickler`, which validates loadable classes but fails to restrict constructor arguments. This oversight allows certain types in `SAFE_TO_IMPORT`, such as `bytes`, `list`, and `range`, to be exploited. A 40-byte pickle payload can trigger over 10 GB of memory allocation, causing crashes in applications that deserialize delta objects or use `pickle_load` with untrusted data.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing applications to crash. The `_RestrictedUnpickler` is designed to enhance safety by preventing remote code execution, but it does not adequately address resource exhaustion issues.

Reproduction

The vulnerability can be reproduced by setting a memory limit to 1 GB using Python's `resource` module. After applying the limit, a crafted pickle payload that exploits the unpickler's lack of argument validation can be loaded. This payload, which calls `bytes(10_000_000_000)`, bypasses the size restriction and allocates approximately 9.3 GB of memory, causing a `MemoryError`. Alternatively, the vulnerability can be demonstrated by applying a delta that first modifies a target value with a large integer and then converts it to bytes, exploiting the same unpickler oversight.

Remediation

Users can update to DeepDiff version 8.6.2, which addresses the vulnerability by limiting the maximum allocation size for `bytes` and `bytearray` during unpickling, preventing excessive memory use.