CVE-2021-47952: Python jsonpickle 2.0.0 RCE Vulnerability

CVE-2021-47952 Overview

CVE-2021-47952 is a remote code execution vulnerability in python jsonpickle version 2.0.0. The library improperly handles py/repr directives during JSON deserialization, allowing attackers to invoke Python's eval function on attacker-controlled strings. Any application that deserializes untrusted JSON with jsonpickle.decode() can be compromised. The vulnerability is classified as Improper Control of Generation of Code [CWE-94].

Critical Impact
Attackers can execute arbitrary Python code and operating system commands by submitting a crafted JSON payload to any endpoint that calls jsonpickle.decode() on untrusted input.

Affected Products

python jsonpickle 2.0.0
Applications and services that deserialize untrusted JSON using jsonpickle.decode()
Python projects with jsonpickle==2.0.0 as a direct or transitive dependency

Discovery Timeline

2026-05-16 - CVE-2021-47952 published to NVD
2026-05-18 - Last updated in NVD database

Technical Details for CVE-2021-47952

Vulnerability Analysis

The jsonpickle library serializes and deserializes arbitrary Python object graphs to and from JSON. To support reconstruction of complex objects, it recognizes special directives embedded inside JSON, including py/object, py/reduce, and py/repr. The py/repr directive instructs the decoder to evaluate a Python expression so that the resulting object can be re-instantiated.

In version 2.0.0, the decoder passes the value of py/repr directly to Python's eval built-in. The implementation does not sandbox the expression, restrict accessible names, or validate that the payload represents a benign literal. Any caller invoking jsonpickle.decode() on attacker-supplied JSON therefore executes attacker-supplied Python code with the privileges of the host process.

Root Cause

The root cause is unsafe code generation from untrusted input [CWE-94]. The deserializer treats the py/repr field as a trusted Python expression instead of inert data. Because eval exposes the full Python runtime, including the os and subprocess modules through builtins, the deserialization step becomes equivalent to arbitrary code execution.

Attack Vector

Exploitation requires no authentication and no user interaction. An attacker submits a JSON document containing a py/repr key whose value is a Python expression that imports a module and runs a command. When the vulnerable application calls jsonpickle.decode() on the document, the embedded expression is evaluated. Typical payloads import os and call os.system to spawn a shell, write web shells, or initiate reverse connections. See the VulnCheck Advisory on jsonpickle and Exploit-DB #49585 for detailed payload structure.

Detection Methods for CVE-2021-47952

Indicators of Compromise

Inbound HTTP request bodies or message queue payloads containing the substring py/repr followed by a Python expression
Python processes spawning child processes such as /bin/sh, bash, cmd.exe, or powershell.exe immediately after handling JSON input
Unexpected outbound network connections originating from application workers that normally only perform request parsing
Presence of jsonpickle==2.0.0 in requirements.txt, Pipfile.lock, or poetry.lock within production deployments

Detection Strategies

Perform software composition analysis on Python projects to flag the jsonpickle 2.0.0 package across repositories and container images
Inspect web application firewall logs for JSON bodies containing py/repr, py/object, or py/reduce directives sent to endpoints that accept JSON
Apply EDR behavioral rules that alert when Python interpreter processes spawn shell or scripting child processes through os.system, subprocess.Popen, or eval
Review application logs for deserialization errors or stack traces referencing jsonpickle.unpickler and the eval built-in

Monitoring Recommendations

Forward process-creation telemetry and JSON request payloads to a centralized data lake to correlate suspicious deserialization events with downstream command execution
Establish a baseline of legitimate child processes for Python application servers and alert on deviations
Track network egress from application tiers and flag connections to addresses outside the expected service mesh

How to Mitigate CVE-2021-47952

Immediate Actions Required

Upgrade jsonpickle to the latest patched release and pin the version in dependency manifests
Audit all code paths that call jsonpickle.decode() and confirm the input source is trusted
Replace jsonpickle with the standard library json module wherever object reconstruction is not required
Rotate credentials and secrets that were accessible to any Python process exposed to untrusted JSON input

Patch Information

Upgrade beyond jsonpickle 2.0.0 to a release that restricts evaluation of py/repr directives. Consult the GitHub Repository for jsonpickle for the current secure release and the jsonpickle Documentation Site for safe-mode decoding options. Rebuild and redeploy container images so cached layers do not reintroduce the vulnerable version.

Workarounds

Refuse to deserialize untrusted input with jsonpickle and use json.loads() for data that does not require object reconstruction
Strip or reject JSON documents containing py/ directives at the application gateway before they reach the deserializer
Run Python services under least-privilege accounts and apply seccomp or AppArmor profiles that block execution of shells from the interpreter
Isolate workloads that must handle externally supplied serialized objects inside short-lived sandboxed containers

bash

# Configuration example: pin a non-vulnerable jsonpickle version
pip install --upgrade jsonpickle
pip freeze | grep -i jsonpickle
# Ensure requirements.txt no longer references jsonpickle==2.0.0