The use of jsonpickle.decode() in core components like ProcessExecutor and JsonPickleSerializer creates a significant Remote Code Execution (RCE) vulnerability. While this mechanism is currently used for Inter-Process Communication (IPC) to pass Node objects, the fact that Node structures can contain configuration data or user-provided inputs (e.g., prompts, external configs) makes it susceptible to malicious payload injection.
Technical Details
dynamiq/executors/pool.py: The deserialize_node method calls jsonpickle.decode(node_data) with a # nosec comment, explicitly bypassing security linters.dynamiq/components/serializers.py: JsonPickleSerializer.loads performs the same insecure operation.
jsonpickle is inherently unsafe when handling data from untrusted or potentially manipulated sources. In a modern AI framework like Dynamiq, assuming all node configurations are trusted is a dangerous design choice.
Proposed Solution
Since Node and its related structures already inherit from Pydantic's BaseModel, I recommend transitioning from jsonpickle to Pydantic's native serialization. Using model_dump_json() and model_validate_json() ensures that data is handled as pure JSON, completely eliminating the risk of arbitrary code execution during deserialization.
This change would align the IPC mechanism with the rest of the project's architecture and significantly harden the system against RCE attacks.
The use of
jsonpickle.decode()in core components likeProcessExecutorandJsonPickleSerializercreates a significant Remote Code Execution (RCE) vulnerability. While this mechanism is currently used for Inter-Process Communication (IPC) to passNodeobjects, the fact thatNodestructures can contain configuration data or user-provided inputs (e.g., prompts, external configs) makes it susceptible to malicious payload injection.Technical Details
dynamiq/executors/pool.py: Thedeserialize_nodemethod callsjsonpickle.decode(node_data)with a# noseccomment, explicitly bypassing security linters.dynamiq/components/serializers.py:JsonPickleSerializer.loadsperforms the same insecure operation.jsonpickleis inherently unsafe when handling data from untrusted or potentially manipulated sources. In a modern AI framework like Dynamiq, assuming all node configurations are trusted is a dangerous design choice.Proposed Solution
Since
Nodeand its related structures already inherit from Pydantic'sBaseModel, I recommend transitioning fromjsonpickleto Pydantic's native serialization. Usingmodel_dump_json()andmodel_validate_json()ensures that data is handled as pure JSON, completely eliminating the risk of arbitrary code execution during deserialization.This change would align the IPC mechanism with the rest of the project's architecture and significantly harden the system against RCE attacks.