CVE-2026-25632
Unknown Unknown - Not Provided
Deserialization RCE in EPyT-Flow REST API Before

Publication date: 2026-02-06

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25632
EUVD
EUVD-2026-5576
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
waterfutures epyt-flow to 0.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25632 is a critical vulnerability in the EPyT-Flow Python package versions prior to 0.16.1. The issue lies in the package's REST API and JSON file loading functionality, where a custom JSON deserializer called my_load_from_json processes attacker-controlled JSON request bodies containing a type field. When this field is present, the deserializer dynamically imports and instantiates the specified module/class using attacker-supplied arguments. This behavior allows attackers to invoke dangerous classes such as subprocess.Popen, leading to arbitrary operating system command execution during JSON parsing."}, {'type': 'paragraph', 'content': 'The vulnerability requires no privileges or user interaction and can be exploited remotely over the network. It results in a scope change, allowing an attacker to compromise confidentiality, integrity, and availability at a high level. The underlying weakness is classified as CWE-502: Deserialization of Untrusted Data. The issue was fixed in EPyT-Flow version 0.16.1 by introducing strict validation and limiting deserialization to pre-registered safe classes.'}] [1, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts because it allows an attacker to execute arbitrary operating system commands remotely without any privileges or user interaction. Exploiting this flaw can lead to a complete compromise of the affected system's confidentiality, integrity, and availability."}, {'type': 'list_item', 'content': 'Remote code execution enabling full system compromise.'}, {'type': 'list_item', 'content': 'Potential unauthorized access to sensitive data.'}, {'type': 'list_item', 'content': 'Disruption or denial of service of the affected application or system.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for usage of the vulnerable EPyT-Flow REST API versions prior to 0.16.1 that parse JSON request bodies containing a type field which triggers unsafe deserialization.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves unsafe JSON deserialization allowing remote code execution, detection can focus on identifying suspicious JSON payloads sent to the REST API, especially those containing a type field that attempts to instantiate dangerous classes like subprocess.Popen.'}, {'type': 'paragraph', 'content': 'Network detection can include inspecting HTTP requests to the EPyT-Flow REST API endpoints for JSON bodies with a type field or unusual module/class names.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection might include using network traffic analysis tools such as tcpdump or Wireshark to capture and filter HTTP POST requests to the EPyT-Flow API, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'type'"}, {'type': 'list_item', 'content': "grep -r 'type' /path/to/epyt-flow/logs/ # to find suspicious JSON payloads in logs"}, {'type': 'paragraph', 'content': 'Additionally, checking the installed EPyT-Flow package version can help identify if the system is vulnerable:'}, {'type': 'list_item', 'content': 'pip show epyt-flow'}, {'type': 'paragraph', 'content': 'If the version is prior to 0.16.1, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation steps for this vulnerability are to upgrade EPyT-Flow to version 0.16.1 or later, where the unsafe JSON deserialization issue has been fixed.

Until the upgrade can be performed, it is recommended to avoid loading JSON data from untrusted sources and to not expose the vulnerable REST API to untrusted networks.

Specifically:

  • Upgrade EPyT-Flow to version 0.16.1 or newer.
  • Restrict access to the EPyT-Flow REST API to trusted users and networks only.
  • Avoid processing JSON files or requests from untrusted or unauthenticated sources.
  • Review and apply any additional security patches or configuration changes included in the 0.16.1 release.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25632. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart