Skip to content

Add advisory for django-async-include RCE (CVSS 9.8) #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shred0day wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add advisory for django-async-include RCE (CVSS 9.8) #300

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions vulns/django-async-include/PYSEC-0000-django-async-include-rce.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
id: PYSEC-0000-django-async-include-rce
modified: "2026-06-03T00:00:00Z"
published: "2026-06-03T00:00:00Z"
schema_version: "1.6.0"

aliases: []

summary: >
Unauthenticated Remote Code Execution in django-async-include via unsafe jsonpickle deserialization

details: |
django-async-include versions prior to 0.8.0 are vulnerable to unauthenticated
remote code execution. The package uses `jsonpickle.loads()` to deserialize
untrusted user input from HTTP request bodies in `async_include/views.py` at
line 25. The vulnerable endpoint is accessible without authentication at the
URL path `/async_include/get/%3F`.

An attacker can craft a malicious JSON payload using jsonpickle's `py/reduce`
gadget to execute arbitrary Python code on the server. The deserialization
occurs before any validation or authentication checks.

The vulnerability was fixed in version 0.8.0 by replacing `jsonpickle.loads()`
with the safe `json.loads()` function.

severity:
- type: CVSS_V3
score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

affected:
- package:
ecosystem: PyPI
name: django-async-include
ranges:
- type: ECOSYSTEM
events:
- introduced: "0"
- fixed: "0.8.0"
versions:
- "0.5.0"
- "0.5.1"
- "0.5.2"
- "0.5.3"
- "0.5.4"
- "0.5.5"
- "0.6.0"
- "0.6.1"
- "0.6.2"
- "0.6.3"
- "0.6.4"
- "0.6.5"
- "0.6.6"
- "0.7.0"
ecosystem_specific:
imports:
- attribute: "get"
modules:
- "async_include.views"

references:
- type: PACKAGE
url: https://pypi.org/project/django-async-include/
- type: FIX
url: https://github.com/diegojromerolopez/django-async-include/releases/tag/v0.8.0

credits:
- name: Igor Kakaroff (shred0day)
contact:
- mailto:igorkakaroff@gmail.com
type: FINDER
- name: Diego J. Romero López
contact:
- mailto:diegojromerolopez@gmail.com
type: REMEDIATION_DEVELOPER