CVE-2021-47952: Python Jsonpickle Unsafe Decode Eval Rce
jsonpickle decode()/Unpickler() is defined or invoked with safe=False, enabling the legacy py/repr deserialization path that calls eval() on attacker-controlled JSON content. A JSON payload like {"py/repr": "os/os.system('id')"} achieves remote code execution. Change the default to safe=True (patched behavior) or pass safe=True explicitly at call sites.
greprules fetch cve-2021-47952-python-jsonpickle-unsafe-decode-eval-rce --engine opengrepDescription
jsonpickle decode()/Unpickler() is defined or invoked with safe=False, enabling the legacy py/repr deserialization path that calls eval() on attacker-controlled JSON content. A JSON payload like {"py/repr": "os/os.system('id')"} achieves remote code execution. Change the default to safe=True (patched behavior) or pass safe=True explicitly at call sites.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.