The vulnerability resides in the JSONSerializer and CBORSerializer of APScheduler, allowing an attacker to craft a JSON or CBOR payload that will be deserialized by the unmarshal_object function. This process permits arbitrary class instantiation and state injection by dynamically importing Python modules and invoking __setstate__ on any class available in the environment, effectively enabling remote code execution. This is a classic example of insecureerialization, mapped to CWE‑502. The attack does not require additional permissions beyond the ability to send the payload to an application that uses these serializers. The raw impact is that an attacker can execute arbitrary code on the target system and potentially gain full control of the application or underlying host.

Any Python application that imports and uses the APScheduler library – specifically all versions of the APScheduler library including 3.10.x and the experimental 4.0.0a5 release – is impacted. Because the vulnerability is tied to the library itself, every environment where APScheduler is installed and the JSONSerializer or CBORSerializer is invoked is vulnerable. No vendor or product name beyond APScheduler was specified in the advisory.

The advisory does not report a CVSS score or EPSS value, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote exploitation via network if the application exposes an endpoint that accepts serialized input; it could also be local if a user can provide a crafted payload to the application. No exploitation prerequisites beyond the presence of the vulnerable library and the ability to send the malicious payload are mentioned, implying the exploitation path is straightforward. Because the vulnerability allows arbitrary code execution, the potential severity is high, and it should be treated as a top priority.