GHSA-R3HX-X5RH-P9VV: Remote Code Execution via Unsafe Deserialization in django-haystack
Vulnerability ID: GHSA-R3HX-X5RH-P9VV
CVSS Score: 9.8
Published: 2026-07-15
A critical remote code execution vulnerability exists in django-haystack prior to version 3.4.0. The vulnerability stems from the Elasticsearch 1.x search backend incorrectly processing aliased search result fields, leading to the unsafe execution of user-supplied strings using Python's built-in eval() function.
TL;DR
Unsafe use of Python's eval() function in the legacy django-haystack Elasticsearch backend allows remote code execution when parsing malicious search index data.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-95
- Attack Vector: Network
- CVSS Score: 9.8
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
- Impact: Remote Code Execution
Affected Systems
- django-haystack applications utilizing the legacy Elasticsearch 1.x backend
-
django-haystack: < 3.4.0 (Fixed in:
3.4.0)
Code Analysis
Commit: eb05f19
Replace unsafe eval with ast.literal_eval in Elasticsearch backend
Mitigation Strategies
- Upgrade django-haystack to v3.4.0 or higher.
- Decommission the legacy Elasticsearch 1.x search backend and migrate to modern supported engines.
Remediation Steps:
- Update the requirements file to specify django-haystack>=3.4.0.
- Run pip install -U django-haystack in the target environments.
- Deploy the updated application and monitor logs for evaluation-related tracebacks.
References
Read the full report for GHSA-R3HX-X5RH-P9VV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)