Platform
python
Component
pytries
Fixed in
0.8.1
0.8.2
0.8.3
0.8.4
CVE-2026-5659 is an Insecure Deserialization vulnerability affecting the pytries datrie library. Successful exploitation could lead to remote code execution, allowing an attacker to potentially compromise the system. This vulnerability impacts versions 0.8.0 through 0.8.3 of pytries. The project has been notified but has not yet responded with a fix.
A deserialization vulnerability has been identified in pytries datrie, affecting versions up to 0.8.3. Specifically, the functions Trie.load, Trie.read, and Trie.setstate within the src/datrie.pyx file are susceptible. A remote attacker can exploit this vulnerability to execute arbitrary code on the system, compromising the confidentiality, integrity, and availability of data. The public disclosure of an exploit significantly increases the risk, as it facilitates exploitation by malicious actors. The project's lack of response exacerbates the situation, leaving users without an official fix in the short term. This vulnerability requires immediate attention to prevent potential attacks.
The vulnerability is exploited through manipulation of the data used in the Trie.load, Trie.read, and Trie.setstate functions. The publicly available exploit simplifies the attack process, allowing attackers to inject malicious code during the loading or reading of Trie data structures. The remote nature of the vulnerability means attackers do not need physical access to the affected system, expanding the potential attack scope. The public exploit increases the likelihood of automated and targeted attacks.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
Given that no official fix has been provided by the pytries project, the immediate mitigation involves avoiding the use of datrie versions prior to 0.8.3. If using the library is essential, implementing additional security controls, such as strict input data validation and execution within an isolated environment (sandbox), is recommended. Actively monitoring systems for signs of exploitation is crucial. Consider exploring alternatives to the datrie library if the vulnerability poses an unacceptable risk. It is vital to stay informed about any updates or patches that may be released by the project in the future, although the current lack of response is concerning.
Actualice a una versión corregida de pytries. La vulnerabilidad se encuentra en las versiones 0.8.0 a 0.8.3 y se debe actualizar a una versión posterior que corrija el problema de deserialización en la función Trie.__setstate__.
Vulnerability analysis and critical alerts directly to your inbox.
Deserialization is the process of converting serialized data (such as a file or string) into a usable object. Deserialization vulnerabilities occur when malicious serialized data can be used to execute arbitrary code.
CVE stands for 'Common Vulnerabilities and Exposures'. It's a unique identifier for this specific vulnerability.
Stop using versions prior to 0.8.3 immediately. Implement temporary mitigation measures and monitor your systems.
Currently, no official patch is available. Stay tuned for updates from the pytries project.
KEV stands for 'Known Exploitable Vulnerabilities'. The fact that it's not marked as KEV does not diminish the severity of the vulnerability, especially with a public exploit available.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.