EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
PUBLISHED5.2CWE-502
EPyT-Flow has unsafe JSON deserialization (__type__)
Problem type
Affected products
WaterFutures
EPyT-Flow
< 0.16.1 - AFFECTED
References
https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1
https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1
GitHub Security Advisories
GHSA-74vm-8frp-7w68
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)
https://github.com/advisories/GHSA-74vm-8frp-7w68Impact
EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files.
Patches
EPyT-Flow has been patched in 0.16.1 -- affects all versions <= 0.16.0
Workarounds
Do not load any JSON from untrusted sources and do not expose the REST API.
Credits
EPyT-Flow thanks Jarrett Chan (@syphonetic) for detecting and reporting the bug.
github.com
https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68
github.com
https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25632
github.com
https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1
github.com
https://github.com/advisories/GHSA-74vm-8frp-7w68
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25632Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25632",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:56:43.719Z",
"dateReserved": "2026-02-04T05:15:41.790Z",
"datePublished": "2026-02-06T20:24:18.213Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-06T20:24:18.213Z"
},
"title": "EPyT-Flow has unsafe JSON deserialization (__type__)",
"descriptions": [
{
"lang": "en",
"value": "EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1."
}
],
"affected": [
{
"vendor": "WaterFutures",
"product": "EPyT-Flow",
"versions": [
{
"version": "< 0.16.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-502: Deserialization of Untrusted Data",
"cweId": "CWE-502",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68",
"name": "https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385",
"name": "https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1",
"name": "https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-02-06T20:56:43.719Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}