Mark deepdiff issues as not-affected in bullseye (!283) · Merge requests · Debian Security Tracker / security-tracker

Mark the two DeepDiff issues as not-affected in bullseye.

Bullseye ships deepdiff 3.3.0-2. Both upstream advisories list affected versions starting at 5.0.0:

CVE-2026-33155: affected 5.0.0 through 8.6.1
CVE-2025-58367: affected >= 5.0.0, <= 8.6.0

This matches the upstream changelog: DeepDiff 5.0.0 introduced the Delta object. The vulnerable code paths are in the later Delta implementation and deepdiff.serialization pickle helpers.

I checked the bullseye source package (3.3.0-2) and it does not contain:

deepdiff/delta.py
deepdiff/serialization.py
Delta
SAFE_TO_IMPORT
_RestrictedUnpickler
pickle_load

For comparison, upstream 5.0.0 contains both deepdiff/delta.py and deepdiff/serialization.py, and its changelog says:

v5-0-0: Introducing the Delta object

Validation:

bin/check-syntax CVE data/CVE/list
git diff --check -- data/CVE/list

References:

https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q
https://github.com/qlustered/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3
https://bugs.debian.org/1131472

Edited Apr 21, 2026 by James Montgomery

Mark deepdiff issues as not-affected in bullseye

Merge request reports