Description
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Published: 2026-02-06
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via unsafe JSON deserialization
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in EPyT‑Flow’s REST API and JSON file loader, which employ a custom deserializer that accepts a type field. When present, the deserializer dynamically imports the specified module or class and instantiates it with supplied arguments, allowing malicious actors to load and invoke dangerous classes such as subprocess.Popen. This mechanism directly permits arbitrary OS command execution during JSON parsing, giving attackers full control over the host system.

Affected Systems

WaterFutures EPyT‑Flow versions prior to 0.16.1 are affected. Any installation that exposes the REST API or accepts JSON files without proper validation is vulnerable. The issue spans all platforms supported by the Python package, and any deployment that uses the my_load_from_json routine is susceptible.

Risk and Exploitability

The CVSS score of 10 highlights worst‑case severity. The EPSS score is below 1%, indicating limited exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to reach the REST API endpoint or supply a malicious JSON document; the dynamic import process then executes the payload with the privileges of the running Python process, resulting in complete system compromise.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EPyT‑Flow to version 0.16.1 or later, which removes the unsafe deserializer.
  • If an immediate upgrade is not possible, block or remove the REST endpoint that processes JSON requests to prevent the deserializer from being invoked.
  • Alternatively, configure the application to reject any JSON payload containing a type field or modify the code to whitelist only safe, predefined classes, thereby eliminating untrusted dynamic imports.
  • Review and harden any JSON file ingestion paths to avoid deserializing untrusted data.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-74vm-8frp-7w68 EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)
History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:waterfutures:epyt-flow:*:*:*:*:*:python:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfutures
Waterfutures epyt-flow
Vendors & Products Waterfutures
Waterfutures epyt-flow

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Title EPyT-Flow has unsafe JSON deserialization (__type__)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Waterfutures Epyt-flow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:56:43.719Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25632

cve-icon Vulnrichment

Updated: 2026-02-06T20:56:34.510Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:18.377

Modified: 2026-03-18T15:14:50.900

Link: CVE-2026-25632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses