Rule Information
Tags
pythonjsonpickledeserializationcode-executionCWE-502OWASP-A08
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-042 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Rule
Understanding the vulnerability and how it is detected
jsonpickle is a Python library that extends JSON serialization to support arbitrary Python objects by encoding type information and object state in JSON format. During deserialization, jsonpickle.decode() uses the type information embedded in the JSON to reconstruct Python objects, which involves calling __new__() and __setstate__() or __reduce__() on the reconstructed types.
This means that jsonpickle.decode() can instantiate arbitrary Python classes and execute their initialization code, making it equivalent to pickle deserialization in terms of security risk. An attacker who can control the JSON input can craft a payload that calls os.system() or other dangerous functions during the decode() call.
For data interchange with untrusted parties, use standard json.loads() which only produces Python built-in types (dict, list, str, int, float, bool, None).
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Arbitrary Class Instantiation
jsonpickle encodes Python type information as {"py/object": "os.system"} or similar structures. During decode(), these types are imported and instantiated. An attacker crafts JSON that triggers instantiation of dangerous classes with malicious arguments.
2
JSON Format Disguise
jsonpickle data looks like valid JSON, which may bypass security controls that check content type or basic JSON validity. The malicious payload is hidden within the structural JSON that appears benign to casual inspection.
3
API Endpoint Exploitation
REST APIs that use jsonpickle to deserialize request bodies or parameters are directly exploitable. Any endpoint accepting application/json content that is decoded with jsonpickle is a remote code execution vector.
4
Cache and Storage Poisoning
Applications storing jsonpickle-serialized objects in Redis, databases, or message queues are vulnerable if an attacker can inject data into those stores, as the deserialization will execute the embedded code when the value is read.
How to Fix
Recommended remediation steps
- 1Replace jsonpickle.decode() with json.loads() for all data received from external sources, including API requests, file uploads, and message queue payloads.
- 2Use pydantic or marshmallow for typed deserialization with validation when structured Python objects are needed from external data.
- 3If jsonpickle is used for internal serialization between trusted components, ensure the serialized data never flows back from external sources.
- 4Audit all jsonpickle usage in API handlers, webhook processors, and data import functions.
- 5Consider migrating from jsonpickle to a schema-defined format (Protocol Buffers, Avro) for internal object serialization.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to jsonpickle.decode() and jsonpickle.loads() in Python source code. All call sites are flagged since jsonpickle deserialization is inherently dangerous with any input that could be attacker-influenced.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
CWE Top 25
CWE-502 - Deserialization of Untrusted Data
OWASP Top 10
A08:2021 - Software and Data Integrity Failures
NIST SP 800-53
SI-10: Information Input Validation
PCI DSS v4.0
Requirement 6.2.4 - Protect against deserialization attacks
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Pickle Deserialization of Untrusted Data
pickle.loads() and pickle.load() execute arbitrary Python code during deserialization. Never unpickle data from untrusted sources.
HIGH
PyYAML Unsafe Load Function
yaml.load() and yaml.unsafe_load() can execute arbitrary Python objects during YAML parsing. Use yaml.safe_load() instead.
HIGH
ruamel.yaml Unsafe Loader Configuration
ruamel.yaml configured with typ='unsafe' can instantiate arbitrary Python objects during YAML parsing. Use typ='safe' or the default round-trip loader.
Frequently Asked Questions
Common questions about jsonpickle Deserialization Detected
Yes. jsonpickle uses pickle's __reduce__ mechanism internally to reconstruct objects.
Any object that pickle can deserialize dangerously, jsonpickle can too. The JSON
encoding provides an illusion of safety because JSON is often considered safe, but
jsonpickle's type resolution during decode makes it equivalent to pickle.
jsonpickle handles Python types that JSON cannot represent: datetime, Decimal, sets,
custom classes, numpy arrays, and objects with circular references. It is useful for
debugging, logging complex Python objects, or serializing state for trusted internal
use. The problem arises when it is used to deserialize data from untrusted sources.
The keys parameter controls dictionary key handling, not object instantiation safety.
There is no jsonpickle parameter that disables arbitrary class instantiation. If you
need to use jsonpickle for internal purposes, never decode data that originated from
external sources.
Any Django REST API endpoint that calls jsonpickle.decode() on request data is
critically vulnerable to remote code execution. Replace with DRF serializers,
pydantic models, or standard json.loads() with manual field validation immediately.
For external data: use json.loads() + pydantic/marshmallow for typed validation.
For internal object serialization: evaluate Protocol Buffers, Apache Avro, or custom
JSON serializers that explicitly handle each supported type. For the transition period,
use jsonpickle only for encoding (never decoding) and migrate decoders first.
The rule detects direct calls to jsonpickle.decode() and jsonpickle.loads(). Libraries
that wrap jsonpickle internally may not be detected. Audit your dependencies for
jsonpickle usage and review any library that accepts JSON or dict input and returns
typed Python objects.
New feature
Get these findings posted directly on your GitHub pull requests
The jsonpickle Deserialization Detected rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.