EPyT-Flow is vulnerable to unauthenticated remote code execution (RCE) through a flawed JSON deserialization process that permits arbitrary OS command execution.

The custom deserializer my_load_from_json processes attacker-controlled JSON bodies. By providing a specific "type" field, an unauthenticated attacker can force the application to import and instantiate dangerous Python classes, such as subprocess.Popen, with arbitrary arguments.

With a CVSS score of 10.0, this vulnerability allows for complete system takeover. Attackers can execute arbitrary OS commands, potentially leading to the compromise of critical infrastructure data related to water distribution networks and lateral movement into internal systems.

Immediate Action: Update EPyT-Flow to version 0.16.1 immediately to replace the insecure deserialization logic with a safe alternative.

Proactive Monitoring: Review REST API logs for JSON requests containing "type" fields that reference unexpected or dangerous Python modules and classes.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter incoming JSON payloads for suspicious keywords like "subprocess", "os", or "Popen".

Public Exploit Available: No

This is a critical RCE vulnerability that requires immediate attention. Organizations using EPyT-Flow for hydraulic modeling must prioritize the update to version 0.16.1 to prevent unauthorized access to sensitive infrastructure controls.