CVE-2021-23727
📋 TL;DR
CVE-2021-23727 is a command injection vulnerability in Celery task queue software. Attackers who can access or manipulate metadata in Celery backends can execute arbitrary commands on affected systems. This affects all users running vulnerable Celery versions with default configurations.
💻 Affected Systems
- Celery
📦 What is this software?
Celery by Celeryproject
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Limited command execution within the Celery process context, potentially leading to data theft or service disruption.
If Mitigated
No impact if proper network segmentation and access controls prevent attackers from reaching Celery backends.
🎯 Exploit Status
Exploitation requires access to manipulate or inject data into Celery backend storage. Proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2 and later
Vendor Advisory: https://github.com/celery/celery/blob/master/Changelog.rst#522
Restart Required: Yes
Instructions:
1. Update Celery using pip: 'pip install celery>=5.2.2' 2. Restart all Celery workers and related services 3. Verify the update with 'celery --version'
🔧 Temporary Workarounds
Disable result backend
allIf task results are not needed, disable the result backend entirely
Set CELERY_RESULT_BACKEND = None in Celery configuration
Use secure serializer
allConfigure Celery to use a secure serializer for task metadata
Set CELERY_RESULT_SERIALIZER = 'json' in configuration
🧯 If You Can't Patch
- Implement strict network access controls to Celery backend storage (Redis, RabbitMQ, etc.)
- Monitor backend storage for suspicious metadata modifications or unexpected data
🔍 How to Verify
Check if Vulnerable:
Check Celery version with 'celery --version' or 'pip show celery' and verify it's below 5.2.2Check Version:
celery --versionVerify Fix Applied:
Confirm version is 5.2.2 or higher with 'celery --version' and test that task metadata deserialization works without errors📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution in Celery worker logs
- Errors in task deserialization
- Suspicious metadata in backend storage
Network Indicators:
- Unusual connections to Celery backend storage
- Unexpected data patterns in Redis/RabbitMQ traffic
SIEM Query:
source="celery.log" AND ("command injection" OR "deserialization error" OR "unexpected metadata")🔗 References
- https://github.com/celery/celery/blob/master/Changelog.rst%23522
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
- https://github.com/celery/celery/blob/master/Changelog.rst%23522
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYXRGHWHD2WWMHBWCVD5ULVINPKNY3P5/
- https://snyk.io/vuln/SNYK-PYTHON-CELERY-2314953
