Nixpkgs security tracker

Untriaged

Permalink CVE-2026-5659

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 1 week, 4 days ago

pytries datrie trie File datrie.pyx Trie.__setstate__ deserialization

A vulnerability was found in pytries datrie up to 0.8.3. The affected element is the function Trie.load/Trie.read/Trie.__setstate__ of the file src/datrie.pyx of the component trie File Handler. The manipulation results in deserialization. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-355483 | pytries datrie trie File datrie.pyx Trie.__setstate__ deserialization vdb-entrytechnical-description
VDB-355483 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #785228 | pytries datrie 0.8.3 Deserialization third-party-advisory
https://github.com/pytries/datrie/issues/109 issue-tracking
https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/dartie_co… exploit
https://github.com/pytries/datrie/ product

Affected products

datrie

==0.8.0
==0.8.3
==0.8.2
==0.8.1

Matching in nixpkgs

pkgs.libdatrie

This is an implementation of double-array structure for representing trie

nixos-unstable 2019-12-20
- nixpkgs-unstable 2019-12-20
- nixos-unstable-small 2019-12-20
nixos-25.11 2019-12-20
- nixos-25.11-small 2019-12-20
- nixpkgs-25.11-darwin 2019-12-20