What is the CVSS score of CVE-2025-69872?

CVE-2025-69872 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2025-69872?

DiskCache library versions up to 5.6.3 contain a critical vulnerability allowing arbitrary code execution if an attacker gains write access to the cache directory.. A patch is available.

How to fix or mitigate CVE-2025-69872?

Within 24 hours: Identify all applications using python-diskcache and assess cache directory permissions and access controls. Within 7 days: Implement compensating controls including strict file system permissions (cache directory readable/writable by application user only), disable pickle serialization if alternative serialization options exist, or isolate affected services. Within 30 days: Monitor for vendor patch release and prepare upgrade testing; consider migrating to alternative caching solutions if patch timeline is unacceptable.

Python CVE-2025-69872

CRITICAL

Code Injection (CWE-94)

2026-02-11 cve@mitre.org

GHSA-w8v5-vhqr-4h9v

Python Deserialization AI / ML RCE Red Hat Suse

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

7.6 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 09, 2026 - 08:30 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 11, 2026 - 19:15 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3,541 pypi packages depend on diskcache (963 direct, 2,619 indirect)

Ecosystem-wide dependent count for version 5.6.3.

DescriptionCVE.org

DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.

AnalysisAI

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

Technical ContextAI

CWE-94 code injection through Python pickle deserialization. DiskCache uses pickle as default serializer for its file-based cache.

Affected ProductsAI

DiskCache (python-diskcache) <= 5.6.3

RemediationAI

Update DiskCache. Switch to a safe serializer (JSON). Restrict cache directory permissions.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed

CVE-2025-69872 vulnerability details – vuln.today

Back

Python CVE-2025-69872

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code