deepdiff: Class Pollution RCE via Delta Tuple Path Bypass

# Root Cause Analysis and Patch Verification - GHSA-mw26-5g2v-hqw3 / CVE-2025-58367

Summary
- Vulnerability: Class pollution RCE in deepdiff Delta class via tuple path bypass
- Affected: deepdiff >= 5.0.0, <= 8.6.0 (confirmed on 8.6.0)
- Fixed: 8.6.1 and later
- Impact: Remote code execution, denial of service, authentication bypass when attacker controls Delta input

Mechanism (What is broken)
- DeepDiff's Delta class accepts dictionaries with paths as keys to represent object changes.
- While string paths are filtered for dangerous attributes like `__globals__`, the `_path_to_elements` function returns tuple representations unchanged.
- An attacker can pass tuple paths like `(("root", "GETATTR"), ("__class__", "GETATTR"), ("__globals__", "GETATTR"))` to bypass security filters.
- This allows traversing to sensitive attributes including `__globals__`, `__builtins__`, and executing arbitrary code.
- The vulnerable code pattern: Delta accepts user input and applies it without validating tuple path representations.

Proof of Vulnerability
- On deepdiff 8.6.0, creating a Delta with tuple paths containing dunder attributes succeeds.
- The path `(("root", "GETATTR"), ("__class__", "GETATTR"), ("__init__", "GETATTR"), ("__globals__", "GETATTR"))` is accepted.
- This demonstrates the string filter bypass - the same path as string would be rejected.
- Evidence captured in logs/evidence_vuln.txt confirming tuple path bypass.
- Evidence JSON: {"reproduced": true, "vulnerable_version": "8.6.0"}

Patched Behavior (Latest)
- In deepdiff 8.6.1, dunder attribute traversal is blocked for ALL path formats including tuples.
- The patched code raises DeltaError: "traversing dunder attributes is not allowed".
- Additionally, SAFE_TO_IMPORT is now a frozenset (immutable), preventing runtime modification.
- Pickle deserialization blocks forbidden modules by default.

Bypass Exploration (12 distinct attempts)
We tested the following bypass attempts on the patched version:
1. Tuple path to __class__ - Result: BLOCKED (dunder filter)
2. Tuple path to __globals__ - Result: BLOCKED (dunder filter)
3. Tuple path to __init__ - Result: BLOCKED (dunder filter)
4. Pickle __reduce__ with os.system - Result: BLOCKED (ForbiddenModule)
5. String path root.__class__ - Result: BLOCKED (no effect)
6. Unicode escape dunder (\u005f\u005f) - Result: BLOCKED (normalized)
7. Nested tuple path to __class__ - Result: BLOCKED (dunder filter)
8. attribute_added with __class__ - Result: BLOCKED (dunder filter)
9. values_changed with __dict__ - Result: BLOCKED (dunder filter)
10. type_changes with __class__ - Result: BLOCKED (dunder filter)
11. Opcode gadget via pickle - Result: BLOCKED (no effect)
12. SAFE_TO_IMPORT mutation - Result: BLOCKED (frozenset immutable)

Result: All 12 bypass attempts blocked. The patch comprehensively addresses both tuple path bypass and pickle gadget chains.

Threat Model Considerations
- Access: Attacker needs ability to control input to Delta constructor (web APIs, user uploads)
- Gain: Full RCE, DoS via corrupting built-in classes, authentication bypass via secret modification
- Prerequisites: Application using DeepDiff Delta with user-controlled input
- CVSS 10.0 reflects network-accessible, no auth required, full impact

How to Interpret Our Artifacts
- logs/evidence_vuln.txt: Shows "CLASS_POLLUTION_TUPLE_PATH_BYPASS" proving the vulnerability
- logs/vulnerable.log: Shows Delta accepting tuple path with dunder attributes
- logs/patched.log: Shows all 12 bypass attempts blocked with specific error messages
- logs/result.json: JSON summary with reproduced=true, patched_blocked=true, bypass_attempts=12

Conclusion
- Vulnerability reproduced on affected version (8.6.0) - tuple paths bypass string filters for dunder attributes
- Patched version (8.6.1) blocks ALL 12 bypass attempts via comprehensive dunder filtering
- Key fixes: dunder filter applies to tuple paths, SAFE_TO_IMPORT is immutable frozenset, ForbiddenModule for pickle

References
- Advisory: https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3
- CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-58367