{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/graphitedb/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["graphitedb (\u003c 0.2)"],"_cs_severities":["high"],"_cs_tags":["insecure-deserialization","code-execution","graphitedb"],"_cs_type":"advisory","_cs_vendors":["Graphite"],"content_html":"\u003cp\u003eGraphite, a graph database engine, is susceptible to insecure deserialization in versions prior to 0.2. This vulnerability arises from the use of Python\u0026rsquo;s \u003ccode\u003epickle\u003c/code\u003e module for serializing and deserializing database files. The \u003ccode\u003epickle\u003c/code\u003e module is known to be unsafe when handling data from untrusted sources because it allows arbitrary code execution during the deserialization process. An attacker can exploit this by crafting a malicious Graphite database file containing embedded commands. When a vulnerable Graphite instance loads this file, the embedded commands are executed, leading to potential system compromise. The vulnerability has been patched in version 0.2, which migrates to a safer JSON-based storage format.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Graphite database file. This file contains serialized Python objects with malicious code embedded within them, leveraging the \u003ccode\u003epickle\u003c/code\u003e module\u0026rsquo;s capability to execute arbitrary code during deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious database file to the target. This could be achieved through various means, such as social engineering, compromised file shares, or as part of a larger attack chain.\u003c/li\u003e\n\u003cli\u003eThe victim, running a vulnerable version of Graphite (prior to 0.2), attempts to load the database file. This action triggers the \u003ccode\u003epickle.load()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the \u003ccode\u003epickle\u003c/code\u003e module executes the malicious code embedded in the serialized Python objects.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the Graphite process. This allows the attacker to perform various malicious activities, such as installing backdoors, stealing sensitive data, or disrupting services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system, ensuring continued access even after the initial compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to move laterally within the network, compromising other systems and expanding their foothold.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to achieve arbitrary code execution on systems running vulnerable versions of Graphite. The primary consequence is complete system compromise, including the potential for data theft, service disruption, and further lateral movement within the network. This vulnerability affects users who load database files from untrusted sources. Users of Graphite graph database engine versions before 0.2 are potentially impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Graphite version 0.2 or later to mitigate the \u003ccode\u003epickle\u003c/code\u003e deserialization vulnerability, as it utilizes JSON for database storage instead (\u003ccode\u003egraphite.Migration\u003c/code\u003e module documentation).\u003c/li\u003e\n\u003cli\u003eRefrain from loading Graphite database files from untrusted or unknown sources when using versions prior to 0.2 (see Workarounds).\u003c/li\u003e\n\u003cli\u003eMigrate existing pickle-based Graphite databases to the JSON format using the provided \u003ccode\u003econvert_pickle_to_json\u003c/code\u003e function from the \u003ccode\u003egraphite.Migration\u003c/code\u003e module (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to load pickle files when running a patched version of Graphite.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:29:05Z","date_published":"2026-05-18T13:29:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-graphite-pickle-deserialization/","summary":"Graphite versions before 0.2 are vulnerable to insecure deserialization due to the use of Python's `pickle` module for database storage, allowing attackers to craft malicious database files that execute arbitrary code when loaded.","title":"Graphite graph database engine Insecure Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-graphite-pickle-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Graphitedb","version":"https://jsonfeed.org/version/1.1"}