CVE-2025-55136 – CVE-2025-55136 is an insecure deserialization v... (How to Fix)

📋 TL;DR

CVE-2025-55136 is an insecure deserialization vulnerability in ERC (Emotion Recognition in Conversation) software versions through 0.3. Attackers can exploit this by sending malicious serialized objects to execute arbitrary code on affected systems. This affects any system running vulnerable versions of ERC that processes untrusted input.

💻 Affected Systems

Products:

ERC (Emotion Recognition in Conversation)

Versions: All versions through 0.3

Operating Systems: Any OS running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when processing untrusted serialized data via jsonpickle

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Limited code execution within application context, potentially leading to data leakage or service disruption

🟢

If Mitigated

No impact if proper input validation and security controls prevent malicious payloads

🌐 Internet-Facing: HIGH - If the vulnerable service is exposed to the internet, attackers can directly exploit it

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending malicious serialized objects to vulnerable endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 0.3 (check GitHub PR #31)

Vendor Advisory: https://github.com/tae898/erc/pull/31

Restart Required: No

Instructions:

1. Update ERC to version after 0.3
2. Apply the fix from GitHub PR #31
3. Replace jsonpickle usage with safe serialization methods

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any serialized objects from untrusted sources

🧯 If You Can't Patch

Network segmentation to isolate vulnerable systems
Implement strict firewall rules to limit access to vulnerable services

🔍 How to Verify

Check if Vulnerable:

Check if ERC version is 0.3 or earlier and uses jsonpickle for deserialization

Check Version:

python -c "import erc; print(erc.__version__)"

Verify Fix Applied:

Verify ERC version is after 0.3 and jsonpickle usage has been replaced with safe alternatives

📡 Detection & Monitoring

Log Indicators:

Unusual serialized object patterns in input logs
Error messages related to jsonpickle deserialization

Network Indicators:

Unusual data patterns in network traffic to ERC services

SIEM Query:

source="erc_logs" AND (message="*jsonpickle*" OR message="*deserialization*")

📊 Metadata

CVE ID: CVE-2025-55136

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-502

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: August 7, 2025

Last Updated: August 7, 2025

🔗 References

https://github.com/tae898/erc/pull/31

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55136, you might also want to check these: