CVE-2026-33155

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33155
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33155.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33155
Aliases
Downstream
Related
Published
2026-03-20T20:25:53.405Z
Modified
2026-04-10T05:42:38.323477Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
Details

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickleload with untrusted data. This issue has been patched in version 8.6.2.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33155.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/qlustered/deepdiff

Affected ranges

Type
GIT
Repo
https://github.com/qlustered/deepdiff
Events
Introduced
15a99abefd93de22367f1bb9fec228b4dd0675f6
Fixed
0d07ec21d12b46ef4e489383b363eadc22d990fb

Affected versions

5.*
5.0.0
5.0.2
5.2.1
5.2.2
5.2.3
5.3.0
5.5.0
5.6.0
5.8.0
6.*
6.0.0
6.1.0
6.2.1
6.2.2
6.3.0
6.3.1
6.4.0
6.4.1
6.6.0
6.7.1
7.*
7.0.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.2.0
8.3.0
8.4.0
8.4.1
8.5.0
8.6.0
8.6.1
v5.*
v5.8.1
v5.8.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33155.json"