Skip to content

Add advisory for django-async-include RCE (CVSS 9.8)#300

Open
shred0day wants to merge 1 commit into
pypa:mainfrom
shred0day:main
Open

Add advisory for django-async-include RCE (CVSS 9.8)#300
shred0day wants to merge 1 commit into
pypa:mainfrom
shred0day:main

Conversation

@shred0day

@shred0day shred0day commented Jun 3, 2026

Copy link
Copy Markdown

Summary

Adds security advisory for unauthenticated RCE vulnerability in django-async-include < 0.8.0.

Vulnerability Details

  • Type: Unsafe Deserialization (CWE-502)
  • CVSS: 9.8 Critical
  • Attack Vector: Network, unauthenticated
  • Root Cause: jsonpickle.loads() on untrusted request body in views.py:25
  • Fixed in: 0.8.0 (released 2026-06-02)

Timeline

  • 2026-05-31: Disclosed to maintainer via email
  • 2026-06-02: Maintainer released fix (v0.8.0)
  • 2026-06-03: This advisory

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shred0day