DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-R3HX-X5RH-P9VV: GHSA-R3HX-X5RH-P9VV: Remote Code Execution via Unsafe Deserialization in django-haystack

GHSA-R3HX-X5RH-P9VV: Remote Code Execution via Unsafe Deserialization in django-haystack

Vulnerability ID: GHSA-R3HX-X5RH-P9VV
CVSS Score: 9.8
Published: 2026-07-15

A critical remote code execution vulnerability exists in django-haystack prior to version 3.4.0. The vulnerability stems from the Elasticsearch 1.x search backend incorrectly processing aliased search result fields, leading to the unsafe execution of user-supplied strings using Python's built-in eval() function.

TL;DR

Unsafe use of Python's eval() function in the legacy django-haystack Elasticsearch backend allows remote code execution when parsing malicious search index data.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-95
  • Attack Vector: Network
  • CVSS Score: 9.8
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed
  • Impact: Remote Code Execution

Affected Systems

  • django-haystack applications utilizing the legacy Elasticsearch 1.x backend
  • django-haystack: < 3.4.0 (Fixed in: 3.4.0)

Code Analysis

Commit: eb05f19

Replace unsafe eval with ast.literal_eval in Elasticsearch backend

Mitigation Strategies

  • Upgrade django-haystack to v3.4.0 or higher.
  • Decommission the legacy Elasticsearch 1.x search backend and migrate to modern supported engines.

Remediation Steps:

  1. Update the requirements file to specify django-haystack>=3.4.0.
  2. Run pip install -U django-haystack in the target environments.
  3. Deploy the updated application and monitor logs for evaluation-related tracebacks.

References


Read the full report for GHSA-R3HX-X5RH-P9VV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)