updating docs

Author: seperman

AUTHORS.md

@@ -76,3 +76,4 @@ Authors in order of the timeline of their contributions:
 - [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit when hashing numpy.datetime64
 - [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools use to pyproject.toml
 - [Diogo Correia](https://github.com/diogotcorreia) for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
+- [am-periphery](https://github.com/am-periphery) for reporting CVE-2025-58367: denial-of-service via crafted pickle payloads triggering massive memory allocation.

CHANGELOG.md

@@ -1,5 +1,8 @@
 # DeepDiff Change log
 
+- v8-6-2
+    - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like `bytes()` and `bytearray()` are now wrapped to reject allocations exceeding 128 MB.
+
 - v8-6-1
     - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
 

README.md

@@ -23,6 +23,9 @@ Tested on Python 3.9+ and PyPy3.
 
 Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
 
+DeepDiff 8-6-2
+- **Security (CVE-2025-58367):** Fixed a memory exhaustion DoS vulnerability in `_RestrictedUnpickler` by limiting the maximum allocation size for `bytes` and `bytearray` during deserialization.
+
 DeepDiff 8-6-1
 - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
 

docs/authors.rst

@@ -118,6 +118,7 @@ and polars support.
 - `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
   setuptools use to pyproject.toml
 - `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
+- `am-periphery <https://github.com/am-periphery>`__ for reporting CVE-2025-58367: denial-of-service via crafted pickle payloads triggering massive memory allocation.
 
 
 .. _Sep Dehpour (Seperman): http://www.zepworks.com

docs/changelog.rst

@@ -5,6 +5,9 @@ Changelog
 
 DeepDiff Changelog
 
+- v8-6-2
+   - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
+
 - v8-6-1
    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
 

docs/index.rst

@@ -31,6 +31,11 @@ The DeepDiff library includes the following modules:
 What Is New
 ***********
 
+DeepDiff 8-6-2
+--------------
+
+    - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
+
 DeepDiff 8-6-1
 --------------