Executive Summary

CVE-2026-5659 is a critical vulnerability in the Python package datrie, specifically in the Trie class up to version 0.8.3. The issue arises from insecure deserialization using Python's pickle module when loading .trie files. The vulnerable methods (Trie.load, Trie.read, and Trie.__setstate__) deserialize internal data by calling pickle.load() on file contents after reading valid trie binary data.

An attacker can craft a malicious .trie file by appending a malicious pickle payload after valid trie binary data. When this file is loaded using the vulnerable Trie methods, the malicious code embedded in the pickle payload executes arbitrarily on the victim's system without their awareness.

The vulnerability does not affect the BaseTrie class, which does not use pickle for deserialization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary Python code remotely by tricking a user into loading a malicious .trie file with the vulnerable datrie.Trie class.

• Remote arbitrary code execution on the victim's system.
• Potential unauthorized actions such as creating files, executing shell commands, or other malicious activities.

Because the deserialization happens silently behind a data-loading API, users may not be aware that malicious code is running.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for the loading of malicious .trie files using the vulnerable datrie.Trie class, which triggers unsafe deserialization via pickle.load().

A practical detection method is to check for the presence of suspicious .trie files that contain appended pickle payloads or to monitor file access and loading operations of .trie files by applications using datrie.

Since the exploit creates proof files (e.g., /tmp/proof.txt) upon successful code execution, checking for unexpected files like /tmp/proof.txt can indicate exploitation.

Suggested commands include:

• Use file integrity monitoring tools to detect unexpected changes or new .trie files.
• Check for the existence of proof-of-exploit files, e.g., `ls /tmp/proof.txt`.
• Use process monitoring or audit logs to detect when datrie.Trie.load() is called, if possible.
• Manually inspect .trie files by splitting the file and analyzing the appended pickle payload with Python scripts to detect malicious content.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding loading untrusted or unauthenticated .trie files with the vulnerable datrie.Trie class.

If possible, switch to using the datrie.BaseTrie class, which is not vulnerable because it does not use pickle for deserialization.

Implement safer deserialization by replacing pickle.load() and pickle.dump() with safer serialization formats such as JSON or msgpack.

Alternatively, implement a restricted unpickler that only permits safe Python built-in types (e.g., list, dict, set, tuple, int, float, str, bool, NoneType) to prevent arbitrary code execution.

Monitor and audit usage of the datrie.Trie class and restrict file permissions to prevent unauthorized modification or creation of .trie files.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary code execution through unsafe deserialization in the datrie.Trie class when loading malicious .trie files. This can lead to unauthorized remote code execution on affected systems.

Such unauthorized code execution can compromise the confidentiality, integrity, and availability of data processed or stored by affected systems, potentially leading to breaches of sensitive personal or health information.

Therefore, this vulnerability may negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and health data against unauthorized access and processing.

Organizations using the vulnerable datrie package should consider this risk in their security assessments and remediation plans to maintain compliance.

Useful 0 Not Useful 0