CVE-2026-25632
Published: 06 February 2026
Summary
CVE-2026-25632 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Waterfutures Epyt-Flow. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to EPyT-Flow version 0.16.1, which fixes the unsafe custom JSON deserializer.
Requires validation of attacker-controlled JSON inputs to the REST API, rejecting payloads with malicious 'type' fields that trigger dynamic code execution.
Boundary protection mechanisms like web application firewalls can inspect and block crafted JSON requests exploiting the deserialization flaw in unauthenticated REST API endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via unsafe JSON deserialization in public REST API (T1190) enables arbitrary command execution through Python dynamic class instantiation and subprocess (T1059.006).
NVD Description
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a…
more
type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Deeper analysisAI
CVE-2026-25632 is a critical deserialization vulnerability (CWE-502) in EPyT-Flow, a Python package for generating hydraulic and water quality scenario data for water distribution networks. In versions prior to 0.16.1, the REST API uses a custom JSON deserializer called my_load_from_json that processes attacker-controlled request bodies. This deserializer supports a "type" field, which triggers dynamic import and instantiation of an attacker-specified module or class using supplied arguments. This mechanism allows invocation of dangerous classes, such as subprocess.Popen, resulting in arbitrary OS command execution during JSON parsing. The flaw also affects the loading of JSON files.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, as reflected in its perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). By sending a crafted JSON payload to affected REST API endpoints—with a "type" field specifying a malicious class and arguments—an attacker triggers code execution on the server during deserialization. Similarly, loading a tampered JSON file yields the same outcome, enabling full system compromise including high confidentiality, integrity, and availability impacts with changed scope.
The vulnerability was addressed in EPyT-Flow version 0.16.1. Mitigation involves upgrading to this patched release. Key resources include the fixing commit at https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385, the release notes at https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1, and the GitHub security advisory at https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68.
Details
- CWE(s)