Vulnerability Details CVE-2026-33155
DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.3%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-33155
-
cpe:2.3:a:qluster:deepdiff:5.0.0
-
cpe:2.3:a:qluster:deepdiff:5.0.2
-
cpe:2.3:a:qluster:deepdiff:5.2.1
-
cpe:2.3:a:qluster:deepdiff:5.2.2
-
cpe:2.3:a:qluster:deepdiff:5.2.3
-
cpe:2.3:a:qluster:deepdiff:5.3.0
-
cpe:2.3:a:qluster:deepdiff:5.5.0
-
cpe:2.3:a:qluster:deepdiff:5.6.0
-
cpe:2.3:a:qluster:deepdiff:5.7.0
-
cpe:2.3:a:qluster:deepdiff:5.8.0
-
cpe:2.3:a:qluster:deepdiff:5.8.1
-
cpe:2.3:a:qluster:deepdiff:5.8.2
-
cpe:2.3:a:qluster:deepdiff:6.0.0
-
cpe:2.3:a:qluster:deepdiff:6.1.0
-
cpe:2.3:a:qluster:deepdiff:6.2.1
-
cpe:2.3:a:qluster:deepdiff:6.2.2
-
cpe:2.3:a:qluster:deepdiff:6.2.3
-
cpe:2.3:a:qluster:deepdiff:6.3.0
-
cpe:2.3:a:qluster:deepdiff:6.3.1
-
cpe:2.3:a:qluster:deepdiff:6.4.0
-
cpe:2.3:a:qluster:deepdiff:6.4.1
-
cpe:2.3:a:qluster:deepdiff:6.6.0
-
cpe:2.3:a:qluster:deepdiff:6.7.1
-
cpe:2.3:a:qluster:deepdiff:7.0.1
-
cpe:2.3:a:qluster:deepdiff:8.0.0
-
cpe:2.3:a:qluster:deepdiff:8.0.1
-
cpe:2.3:a:qluster:deepdiff:8.1.0
-
cpe:2.3:a:qluster:deepdiff:8.1.1
-
cpe:2.3:a:qluster:deepdiff:8.2.0
-
cpe:2.3:a:qluster:deepdiff:8.3.0
-
cpe:2.3:a:qluster:deepdiff:8.4.0
-
cpe:2.3:a:qluster:deepdiff:8.4.1
-
cpe:2.3:a:qluster:deepdiff:8.5.0
-
cpe:2.3:a:qluster:deepdiff:8.6.0
-
cpe:2.3:a:qluster:deepdiff:8.6.1