From 4256e5c703780f0096ec605d3d8662fc32c0f4b1 Mon Sep 17 00:00:00 2001 From: shred0day Date: Wed, 3 Jun 2026 10:40:26 +0530 Subject: [PATCH] Create PYSEC-0000-django-async-include-rce.yaml --- .../PYSEC-0000-django-async-include-rce.yaml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 vulns/django-async-include/PYSEC-0000-django-async-include-rce.yaml diff --git a/vulns/django-async-include/PYSEC-0000-django-async-include-rce.yaml b/vulns/django-async-include/PYSEC-0000-django-async-include-rce.yaml new file mode 100644 index 00000000..9d61ecde --- /dev/null +++ b/vulns/django-async-include/PYSEC-0000-django-async-include-rce.yaml @@ -0,0 +1,73 @@ +id: PYSEC-0000-django-async-include-rce +modified: "2026-06-03T00:00:00Z" +published: "2026-06-03T00:00:00Z" +schema_version: "1.6.0" + +aliases: [] + +summary: > + Unauthenticated Remote Code Execution in django-async-include via unsafe jsonpickle deserialization + +details: | + django-async-include versions prior to 0.8.0 are vulnerable to unauthenticated + remote code execution. The package uses `jsonpickle.loads()` to deserialize + untrusted user input from HTTP request bodies in `async_include/views.py` at + line 25. The vulnerable endpoint is accessible without authentication at the + URL path `/async_include/get/%3F`. + + An attacker can craft a malicious JSON payload using jsonpickle's `py/reduce` + gadget to execute arbitrary Python code on the server. The deserialization + occurs before any validation or authentication checks. + + The vulnerability was fixed in version 0.8.0 by replacing `jsonpickle.loads()` + with the safe `json.loads()` function. + +severity: + - type: CVSS_V3 + score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + +affected: + - package: + ecosystem: PyPI + name: django-async-include + ranges: + - type: ECOSYSTEM + events: + - introduced: "0" + - fixed: "0.8.0" + versions: + - "0.5.0" + - "0.5.1" + - "0.5.2" + - "0.5.3" + - "0.5.4" + - "0.5.5" + - "0.6.0" + - "0.6.1" + - "0.6.2" + - "0.6.3" + - "0.6.4" + - "0.6.5" + - "0.6.6" + - "0.7.0" + ecosystem_specific: + imports: + - attribute: "get" + modules: + - "async_include.views" + +references: + - type: PACKAGE + url: https://pypi.org/project/django-async-include/ + - type: FIX + url: https://github.com/diegojromerolopez/django-async-include/releases/tag/v0.8.0 + +credits: + - name: Igor Kakaroff (shred0day) + contact: + - mailto:igorkakaroff@gmail.com + type: FINDER + - name: Diego J. Romero López + contact: + - mailto:diegojromerolopez@gmail.com + type: REMEDIATION_DEVELOPER