CVE-2026-25632
CRITICAL
GHSA-74vm-8frp-7w68
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Analysis
EPyT-Flow hydraulic simulation package has a CVSS 10.0 insecure deserialization enabling code execution when loading simulation scenario files.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running EPyT-Flow and isolate them from production networks if possible; disable REST API access or restrict to trusted networks only. Within 7 days: Implement network-level controls (WAF rules, API gateway restrictions) to block suspicious JSON type parameters; begin evaluation of alternative packages or version freezing strategy. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today