# REPRO-2026-00063: deepdiff: Class Pollution RCE via Delta Tuple Path Bypass

## Summary
Status: published
Severity: critical
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00063
GHSA: GHSA-mw26-5g2v-hqw3
CVE: CVE-2025-58367

## Package
Name: deepdiff
Ecosystem: pip
Affected: >= 5.0.0, <= 8.6.0
Fixed: 8.6.1

## Root Cause
# Root Cause Analysis and Patch Verification - GHSA-mw26-5g2v-hqw3 / CVE-2025-58367

Summary
- Vulnerability: Class pollution RCE in deepdiff Delta class via tuple path bypass
- Affected: deepdiff >= 5.0.0, <= 8.6.0 (confirmed on 8.6.0)
- Fixed: 8.6.1 and later
- Impact: Remote code execution, denial of service, authentication bypass when attacker controls Delta input

Mechanism (What is broken)
- DeepDiff's Delta class accepts dictionaries with paths as keys to represent object changes.
- While string paths are filtered for dangerous attributes like `__globals__`, the `_path_to_elements` function returns tuple representations unchanged.
- An attacker can pass tuple paths like `(("root", "GETATTR"), ("__class__", "GETATTR"), ("__globals__", "GETATTR"))` to bypass security filters.
- This allows traversing to sensitive attributes including `__globals__`, `__builtins__`, and executing arbitrary code.
- The vulnerable code pattern: Delta accepts user input and applies it without validating tuple path representations.

Proof of Vulnerability
- On deepdiff 8.6.0, creating a Delta with tuple paths containing dunder attributes succeeds.
- The path `(("root", "GETATTR"), ("__class__", "GETATTR"), ("__init__", "GETATTR"), ("__globals__", "GETATTR"))` is accepted.
- This demonstrates the string filter bypass - the same path as string would be rejected.
- Evidence captured in logs/evidence_vuln.txt confirming tuple path bypass.
- Evidence JSON: {"reproduced": true, "vulnerable_version": "8.6.0"}

Patched Behavior (Latest)
- In deepdiff 8.6.1, dunder attribute traversal is blocked for ALL path formats including tuples.
- The patched code raises DeltaError: "traversing dunder attributes is not allowed".
- Additionally, SAFE_TO_IMPORT is now a frozenset (immutable), preventing runtime modification.
- Pickle deserialization blocks forbidden modules by default.

Bypass Exploration (12 distinct attempts)
We tested the following bypass attempts on the patched version:
1. Tuple path to __class__ - Result: BLOCKED (dunder filter)
2. Tuple path to __globals__ - Result: BLOCKED (dunder filter)
3. Tuple path to __init__ - Result: BLOCKED (dunder filter)
4. Pickle __reduce__ with os.system - Result: BLOCKED (ForbiddenModule)
5. String path root.__class__ - Result: BLOCKED (no effect)
6. Unicode escape dunder (\u005f\u005f) - Result: BLOCKED (normalized)
7. Nested tuple path to __class__ - Result: BLOCKED (dunder filter)
8. attribute_added with __class__ - Result: BLOCKED (dunder filter)
9. values_changed with __dict__ - Result: BLOCKED (dunder filter)
10. type_changes with __class__ - Result: BLOCKED (dunder filter)
11. Opcode gadget via pickle - Result: BLOCKED (no effect)
12. SAFE_TO_IMPORT mutation - Result: BLOCKED (frozenset immutable)

Result: All 12 bypass attempts blocked. The patch comprehensively addresses both tuple path bypass and pickle gadget chains.

Threat Model Considerations
- Access: Attacker needs ability to control input to Delta constructor (web APIs, user uploads)
- Gain: Full RCE, DoS via corrupting built-in classes, authentication bypass via secret modification
- Prerequisites: Application using DeepDiff Delta with user-controlled input
- CVSS 10.0 reflects network-accessible, no auth required, full impact

How to Interpret Our Artifacts
- logs/evidence_vuln.txt: Shows "CLASS_POLLUTION_TUPLE_PATH_BYPASS" proving the vulnerability
- logs/vulnerable.log: Shows Delta accepting tuple path with dunder attributes
- logs/patched.log: Shows all 12 bypass attempts blocked with specific error messages
- logs/result.json: JSON summary with reproduced=true, patched_blocked=true, bypass_attempts=12

Conclusion
- Vulnerability reproduced on affected version (8.6.0) - tuple paths bypass string filters for dunder attributes
- Patched version (8.6.1) blocks ALL 12 bypass attempts via comprehensive dunder filtering
- Key fixes: dunder filter applies to tuple paths, SAFE_TO_IMPORT is immutable frozenset, ForbiddenModule for pickle

References
- Advisory: https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3
- CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-58367

## Reproduction Details
Reproduced: 2026-01-13T09:59:46.434Z
Duration: 67 seconds
Tool calls: 5
Turns: Unknown
Handoffs: Unknown

## Timeline (Key Moments)
1. [env_setup] Vulnerable Version Installed (unknown)
   The vulnerable package version was installed, setting up the environment for exploitation.
2. [poc_created] Exploit Code Executed (unknown)
   The initial bypass test was run, indicating the exploit code was developed and triggered.
3. [vuln_triggered] Vulnerability Exploited (unknown)
   The vulnerable version was successfully exploited, confirming the exploit worked.
4. [confirmation] Exploitation Confirmed (unknown)
   A message explicitly confirmed that the vulnerability was successfully exploited.

## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00063
    pruva-verify GHSA-mw26-5g2v-hqw3
    pruva-verify CVE-2025-58367

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00063&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00063/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-mw26-5g2v-hqw3
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58367
- Source: https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3

## Artifacts
- repro/reproduction_steps.sh (reproduction_script, 9132 bytes)
- repro/rca_report.md (analysis, 4143 bytes)
- bundle/ticket.md (ticket, 1767 bytes)
- bundle/context.json (other, 652 bytes)
- repro/logs/result.json (other, 325 bytes)
- repro/logs/vulnerable.log (log, 1014 bytes)
- repro/logs/patched.log (log, 2222 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00063
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00063/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00063

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev