CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-R3HX-X5RH-P9VV

GHSA-R3HX-X5RH-P9VV: Remote Code Execution via Unsafe Deserialization in django-haystack

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 15, 2026·5 min read·7 visits

Executive Summary (TL;DR)

Unsafe use of Python's eval() function in the legacy django-haystack Elasticsearch backend allows remote code execution when parsing malicious search index data.

A critical remote code execution vulnerability exists in django-haystack prior to version 3.4.0. The vulnerability stems from the Elasticsearch 1.x search backend incorrectly processing aliased search result fields, leading to the unsafe execution of user-supplied strings using Python's built-in eval() function.

Vulnerability Overview

A remote code execution flaw exists in the legacy Elasticsearch search backend of the django-haystack package prior to version 3.4.0. The vulnerability occurs when processing and deserializing document fields retrieved from Elasticsearch queries. If an application uses the affected Elasticsearch 1.x search backend, untrusted data indexed by the system can lead to arbitrary code execution on the application server.\n\nDjango-haystack provides modular search integration for Django applications, facilitating abstract queries over backend engines. The backend relies on key lookups to dynamically convert raw query results back into logical Python types. When using specific configuration fields, lookups can fail, forcing the application into an unsafe deserialization fallback route.\n\nThis vulnerability is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-502 (Deserialization of Untrusted Data). The execution vector relies on the application automatically calling Python's built-in eval() function on string fields, presenting a direct vector for code injection.

Root Cause Analysis

The core logic defect occurs during search result deserialization inside haystack/backends/elasticsearch_backend.py. When a search query matches documents, the backend parses the search results to map storage fields back to application-defined logical model fields. This translation maps external document data to internal Python class instances.\n\nIf a field utilizes a custom search alias defined via index_fieldname, the backend checks the document properties using the Elasticsearch-specific alias name. This lookup fails against the backend's internal logical fields dictionary, which is indexed by logical property name rather than alias. As a consequence of this mapping mismatch, the application fails to identify the correct field type.\n\nBecause of this lookup failure, the backend falls back to generic deserialization. It routes the field value through a private method named _to_python(). Within this fallback mechanism, the application invokes Python's built-in eval() function on the raw string retrieved from the search index, aiming to deduce its original type dynamically. Any string evaluated in this manner is compiled and executed as code.

Code Analysis

The vulnerable code in _to_python() attempts to dynamically determine the type of the serialized string. By directly passing the untrusted input to eval(), any syntactically valid Python code is executed.\n\npython\n# Vulnerable Implementation in haystack/backends/elasticsearch_backend.py\ndef _to_python(self, value):\n try:\n # Unsafe evaluation of arbitrary string inputs\n converted_value = eval(value)\n # Try to handle most built-in types.\n if isinstance(converted_value, (list, tuple, set, dict, int, float, bool)):\n return converted_value\n except Exception:\n pass\n return value\n\n\nThe remediation replaces the dynamic evaluation sink with ast.literal_eval(). Unlike eval(), this function utilizes Python's Abstract Syntax Tree parser to safely instantiate only basic literal types, such as strings, numbers, dictionaries, and lists. It rejects arbitrary function calls, imports, and system commands.\n\npython\n# Patched Implementation in haystack/backends/elasticsearch_backend.py\nimport ast\n\ndef _to_python(self, value):\n try:\n # Safe parsing restricted to Python literals\n converted_value = ast.literal_eval(value)\n # Try to handle most built-in types.\n if isinstance(converted_value, (list, tuple, set, dict, int, float, bool)):\n return converted_value\n except Exception:\n pass\n return value\n

Exploitation Methodology

To exploit this vulnerability, an attacker must have a means of inserting malicious payload strings into fields that are indexed by the target Elasticsearch instance. Common vectors include registering accounts with malicious usernames, posting comments containing payload strings, or updating profile descriptions. The input must then pass successfully to the backend and be stored in the index.\n\nmermaid\ngraph LR\n A["Attacker Input"] -->|Injected Payload| B["Elasticsearch Index"]\n B -->|Search Results Retrieved| C["Alias Field Parsing"]\n C -->|Key Lookup Mismatch| D["_to_python() Fallback"]\n D -->|eval() Call| E["Arbitrary Python Execution"]\n\n\nSince the backend evaluates the stored field value using eval(), the payload must represent a valid Python expression. A command execution string can import Python's subprocess or os modules to execute operating system commands. For example, a payload such as __import__('os').system('id') runs the shell command directly.\n\nThe payload remains dormant in the Elasticsearch index until a user or internal application component triggers a search query that matches and retrieves the malicious document. Once retrieved, django-haystack parses the search results, encounters the aliased field, fails the lookup, and routes the malicious string to _to_python(), resulting in immediate code execution under the privileges of the web application server.

Impact Assessment & Residual Risks

An attacker who successfully exploits this vulnerability achieves unauthenticated remote code execution on the application server hosting the Django web server. The injected commands execute with the operating system permissions of the worker process, typically www-data or a dedicated application user. This access can lead to lateral movement, data extraction, or persistent access.\n\nWith a CVSS score of 9.8, this is a critical-severity vulnerability. The attack vector is network-based, requires no user interaction, and can be triggered by unauthenticated clients if the application indexes public inputs. No specific authentication is required to trigger execution once the payload resides in the index.\n\nWhile the patch using ast.literal_eval() eliminates the arbitrary code execution vector, it does not fix the original field mapping mismatch bug. Legitimate aliased fields still trigger ast.literal_eval(). Furthermore, excessively nested lists or dictionaries passed to ast.literal_eval() can consume significant CPU and stack resources, presenting a potential denial-of-service vector if nested patterns are supplied.

Remediation & Detection

The primary recommendation is upgrading django-haystack to version 3.4.0 or higher. This version formally secures the deserialization fallback logic across the affected backend by utilizing the safer ast.literal_eval() parser.\n\nBecause Elasticsearch 1.x has been deprecated, users are strongly advised to transition to modern search backend engines supported by django-haystack 4.x. Modern search backends do not contain the vulnerable legacy code path, rendering the application immune to this specific defect even if configuration mismatches exist.\n\nSecurity teams can detect exploitation attempts by monitoring application logs for Python tracebacks containing SyntaxError or ValueError originating from elasticsearch_backend.py. Additionally, runtime Endpoint Detection and Response (EDR) utilities should monitor the web application server for anomalous child processes, such as the execution of sh or bash by Python workers.

Official Patches

django-haystackOfficial fix commit on GitHub

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

django-haystack applications utilizing the legacy Elasticsearch 1.x backend

Affected Versions Detail

Product
Affected Versions
Fixed Version
django-haystack
django-haystack
< 3.4.03.4.0
AttributeDetail
CWE IDCWE-95
Attack VectorNetwork
CVSS Score9.8
Exploit StatusProof-of-Concept
KEV StatusNot Listed
ImpactRemote Code Execution

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1203Exploitation for Client/Server Execution
Execution
T1059Command and Scripting Interpreter
Execution
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax structures before evaluating the expression.

Vulnerability Timeline

Vulnerability patched and django-haystack v3.4.0 released
2026-06-04

References & Sources

  • [1]Official Fix Commit
  • [2]Official Release Changelog
  • [3]GitHub Security Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•18 minutes ago•GHSA-7GCF-G7XR-8HXJ
7.5

GHSA-7GCF-G7XR-8HXJ: Denial of Service via Integer Underflow and Uncontrolled Allocation in serde_with

A Denial of Service (DoS) vulnerability in the Rust crate `serde_with` arises from an integer underflow and uncontrolled memory allocation during the processing of empty collections using the `KeyValueMap` helper. Depending on the build profile, this flaw leads to an immediate thread panic (debug) or process abort due to an out-of-memory condition (release).

Amit Schendel
Amit Schendel
0 views•7 min read
•about 1 hour ago•GHSA-XG43-5579-QW6V
7.5

GHSA-XG43-5579-QW6V: Uncontrolled Resource Consumption (Decompression Bomb) in adawolfa/isdoc

A high-severity vulnerability exists in the adawolfa/isdoc PHP library before versions 1.4.1 and 2.0.0. The library fails to restrict or validate the sizes of files extracted from untrusted Zip archives (.isdocx container files) or PDF embedded streams. This allows remote attackers to perform decompression bomb attacks, causing denial of service via memory or disk exhaustion.

Alon Barad
Alon Barad
4 views•7 min read
•about 3 hours ago•GHSA-62GX-5Q78-WRVX
9.1

GHSA-62GX-5Q78-WRVX: Authenticated Path Traversal in obsidian-local-rest-api

The obsidian-local-rest-api plugin prior to version 4.1.3 is vulnerable to an authenticated path traversal flaw in its /vault/{path} endpoints. An authenticated attacker can bypass the vault root boundary using URL-encoded directory traversal sequences to perform unauthorized operations on the host filesystem.

Amit Schendel
Amit Schendel
7 views•5 min read
•about 6 hours ago•CVE-2026-50552
6.3

CVE-2026-50552: Server-Side Request Forgery via Validation Bypass in Koel

An authenticated Server-Side Request Forgery (SSRF) vulnerability in Koel, an open-source personal music streaming server, allows remote attackers to probe internal hosts and loopback addresses. The vulnerability arises due to a missing 'bail' validation rule in the Laravel-based form validation pipeline, which permits downstream HTTP checks to execute even after a URL has failed security verification.

Alon Barad
Alon Barad
7 views•6 min read
•about 7 hours ago•GHSA-8Q6Q-M837-FV64
6.4

GHSA-8Q6Q-M837-FV64: Authenticated Server-Side Request Forgery in Koel

A Server-Side Request Forgery (SSRF) vulnerability in the open-source personal music streaming server Koel allows authenticated Subsonic API users to perform unauthorized network queries. This flaw resides in both the Subsonic podcast feed import routine and the subsequent redirect handling inside the podcast streaming helper, exposing private local networks and internal loopback systems to unauthorized reconnaissance and interaction.

Alon Barad
Alon Barad
7 views•5 min read
•about 15 hours ago•CVE-2026-50661
6.1

CVE-2026-50661: Windows BitLocker Security Feature Bypass

CVE-2026-50661 is a security feature bypass vulnerability in Microsoft Windows BitLocker full-disk encryption. A physical attacker can exploit this flaw to bypass encryption controls, permitting unauthorized access to sensitive local storage and the modification of offline system configurations.

Amit Schendel
Amit Schendel
32 views•5 min read