ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2021-47952 Remote Code Execution in Python jsonpickle via py/repr Deserialization

A short review of CVE-2021-47952, a critical remote code execution vulnerability in Python's jsonpickle library version 2.0.0 that allows arbitrary command execution through malicious py/repr directives during JSON deserialization.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-16

Brief Summary: CVE-2021-47952 Remote Code Execution in Python jsonpickle via py/repr Deserialization
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single call to jsonpickle.decode() on untrusted input is all it takes to hand an attacker full code execution on your server. CVE-2021-47952 documents a critical remote code execution vulnerability in the Python jsonpickle library version 2.0.0, where the deserialization of py/repr tagged JSON objects passes attacker controlled strings directly into Python's eval() function.

jsonpickle is an open source Python library that extends standard JSON serialization to support complex Python object graphs. It is widely used in Python projects that need to serialize and reconstruct arbitrary objects, and it is available on PyPI with broad adoption across the Python ecosystem. Its ability to faithfully round trip Python objects through JSON makes it a popular choice, but that same capability is what makes it dangerous when exposed to untrusted data.

Technical Information

The root cause of CVE-2021-47952 lies in how jsonpickle's unpickler handles py/repr tagged objects during deserialization. Unlike standard JSON parsers that produce only basic data types, jsonpickle reconstructs full Python objects from JSON representations. This reconstruction process includes a code path that evaluates arbitrary expressions.

In version 2.0.0, the deserialization flow works as follows:

  1. jsonpickle.decode() receives a JSON string and begins restoring Python objects.
  2. When the unpickler encounters a py/repr tag in the JSON structure, it routes processing to the _restore_repr function.
  3. _restore_repr passes the tag's value to the loadrepr function.
  4. loadrepr splits the input string and directly invokes Python's built in eval() function on the attacker supplied content.

The critical detail is that the safe keyword argument defaults to False in version 2.0.0, meaning eval() is permitted by default with no opt in required from the developer.

Attack Flow

An attacker exploiting this vulnerability would follow these steps:

  1. Identify an application endpoint or data ingestion point that passes external input to jsonpickle.decode().
  2. Craft a JSON payload containing a py/repr directive that specifies a Python module and a function call to execute.
  3. Submit the payload to the target application.
  4. When jsonpickle.decode() processes the payload, the loadrepr function evaluates the attacker's string via eval(), executing arbitrary Python code with the privileges of the running process.

The following example from public exploit research demonstrates the payload structure:

malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}' some_parameter = jsonpickle.decode(malicious)

This payload causes the application to call time.sleep(10) during deserialization. The same mechanism can be used to invoke os.system() or any other Python function, enabling full system command execution on both Windows and Linux targets.

The attack requires no authentication, no special privileges, and no user interaction. Any application that deserializes external JSON input through jsonpickle is potentially vulnerable.

CWE Classification

This vulnerability is classified under CWE-94 (Improper Control of Generation of Code, also known as Code Injection), which accurately reflects the direct eval() invocation on attacker controlled input.

Affected Systems and Versions

The vulnerability affects jsonpickle version 2.0.0 and earlier versions that include the loadrepr function with eval() enabled by default. Any Python application that calls jsonpickle.decode() on data from an untrusted source while running an affected version is vulnerable.

Newer versions of jsonpickle have made changes to avoid using eval and to disable support for legacy repr serialized objects by default. However, relying solely on the safe=True flag is insufficient, as historical issues demonstrate that code execution can still occur through other mechanisms like py/object and py/reduce even when safe mode is enabled.

Vendor Security History

The jsonpickle project has a documented history of security concerns related to deserialization. The maintainers have consistently communicated that the library is not designed to be safe against malicious input, and multiple GitHub issues have been filed over the years requesting clearer security warnings and safer defaults.

Notable items from the project's security history include:

  • GitHub issue #178 raised the concern that jsonpickle should more clearly warn about the security hazard of deserializing untrusted data.
  • GitHub issue #332 documented that the decode() function unsafely forms objects that can lead to code execution.
  • GitHub issue #335 flagged the broader deserialization of untrusted data concern.
  • The project's changelog documents updates to the unpickler to avoid using eval and to disable support for pre 0.7.0 repr serialized objects by default in later releases.

The maintainers' position is that security is the responsibility of the caller. The official security policy states plainly that loading a JSON string from an untrusted source is always a potential security vulnerability.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization