Skip to content

Fix CVE-2025-69872: restrict pickle deserialization to safe types#1

Merged
vavsab merged 7 commits into
masterfrom
fix-cve-2025-69872
Jul 6, 2026
Merged

Fix CVE-2025-69872: restrict pickle deserialization to safe types#1
vavsab merged 7 commits into
masterfrom
fix-cve-2025-69872

Conversation

@vavsab

@vavsab vavsab commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Cherry-picks grantjenks#364 from upstream (unmaintained, owner not responding).

What changed

  • SafeUnpickler replaces pickle.load in exactly 3 call sites in core.py
  • Hardcoded allowlist of safe built-in types (int, str, bytes, list, dict, datetime, UUID, etc.)
  • Blocks all __reduce__-based RCE payloads regardless of filesystem permissions
  • No opt-out by design — stronger guarantee than the HMAC approach in upstream PR Mitigate CVE-2025-69872: HMAC-verified pickle envelope grantjenks/python-diskcache#361
  • All 179 existing tests pass + 26 new security tests
  • Renamed package to mapped-diskcache, bumped to 6.0.0
  • Added PyPI publish CI (triggers on v* tags, requires PYPI_API_TOKEN secret)

Breaking change

Users caching custom objects will get UnpicklingError on read. Migration: use JSONDisk or subclass Disk. For our use case (dvc-data caches file metadata as dicts/primitives) the allowlist covers everything.

🤖 Generated with Claude Code

a2811057970 and others added 7 commits July 6, 2026 19:02
BREAKING CHANGE: Pickle deserialization now only permits safe built-in
types (builtins, collections, datetime, decimal, fractions, uuid).
Arbitrary objects can no longer be deserialized from cache, preventing
code execution via crafted pickle payloads.

Users caching custom types should migrate to JSONDisk or a custom Disk
subclass. There is no opt-out mechanism by design.

- Add SafeUnpickler with allowlist-based find_class override
- Add UnpicklingError (inherits pickle.UnpicklingError) for downstream
  compatibility with libraries catching pickle.PickleError
- Support pickle protocols 0-5 via __builtin__, copy_reg, and _codecs
  allowlist entries
- Use frozenset values in SAFE_PICKLE_CLASSES to prevent runtime bypass
- Bump version to 6.0.0 (breaking change per semver)

This takes a different approach to PR grantjenks#361 (HMAC envelope). The HMAC
approach still allows arbitrary deserialization once the signature is
verified, meaning an attacker with read+write access to the cache
directory can read the auto-generated key file and forge valid
payloads. The allowlist approach blocks dangerous types regardless of
filesystem access.

Fixes: CVE-2025-69872
Closes: grantjenks#357, grantjenks#360, grantjenks#362
@vavsab vavsab merged commit 3d9b52c into master Jul 6, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants