CVE-2025-58367: 
Python vulnerability analysis and mitigation

DeepDiff, a Python project focused on Deep Difference and search functionality, was found to contain a critical vulnerability (CVE-2025-58367) affecting versions 5.0.0 through 8.6.0. The vulnerability was discovered and disclosed on September 5, 2025, involving class pollution via the Delta class constructor which, when combined with a gadget in DeltaDiff, could lead to serious security implications (NVD, GitHub Advisory).

The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The issue stems from the Delta class being vulnerable to class pollution through its constructor. The vulnerability allows deepdiff.serialization.SAFE_TO_IMPORT to be modified to permit dangerous classes such as posix.system, enabling insecure Pickle deserialization via the Delta class. The CVSS v4.0 score is 10.0 CRITICAL, with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability's impact is severe, potentially allowing any Python code to be executed when the input to Delta is user-controlled. This can lead to multiple security implications including Denial of Service (DoS) and Remote Code Execution (RCE) through insecure Pickle deserialization. In web applications, it could potentially be exploited to bypass authentication via class pollution (GitHub Advisory).

The vulnerability has been patched in version 8.6.1. The fix includes preventing traversal through private keys and implementing additional security checks. Users are strongly advised to upgrade to this version. The patch includes validation to prevent traversing dunder attributes via check_elem() and hardening of the Delta class against malicious pickle payloads (GitHub Release, GitHub Commit).