Bump version: 8.6.0 → 8.6.1 and add security vulnerability notes

- Update version to 8.6.1 across all files - Add security vulnerability notes to CHANGELOG and README - Update AUTHORS.md to credit security reporter - Update documentation with security fix information
seperman · vitalis89 · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025 · Sep 3, 2025
commit 683756ef03064047744dbf4978ca27d2211a846f
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 8.6.0
+current_version = 8.6.1
 commit = True
 tag = True
 tag_name = {new_version}

diff --git a/AUTHORS.md b/AUTHORS.md
@@ -75,3 +75,4 @@ Authors in order of the timeline of their contributions:
 - [dtorres-sf](https://github.com/dtorres-sf) for the fix for moving nested tables when using iterable_compare_func.
 - [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit when hashing numpy.datetime64
 - [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools use to pyproject.toml
+- [Diogo Correia](https://github.com/diogotcorreia) for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # DeepDiff Change log
 
+- v8-6-1
+    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
+
 - v8-6-0
     - Added Colored View thanks to @mauvilsa 
     - Added support for applying deltas to NamedTuple thanks to @paulsc 

diff --git a/CITATION.cff b/CITATION.cff
@@ -5,6 +5,6 @@ authors:
   given-names: "Sep"
   orcid: "https://orcid.org/0009-0009-5828-4345"
 title: "DeepDiff"
-version: 8.6.0
+version: 8.6.1
 date-released: 2024
 url: "https://github.com/seperman/deepdiff"
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# DeepDiff v 8.6.0
+# DeepDiff v 8.6.1
 
 ![Downloads](https://img.shields.io/pypi/dm/deepdiff.svg?style=flat)
 ![Python Versions](https://img.shields.io/pypi/pyversions/deepdiff.svg?style=flat)
@@ -17,12 +17,15 @@
 
 Tested on Python 3.9+ and PyPy3.
 
-- **[Documentation](https://zepworks.com/deepdiff/8.6.0/)**
+- **[Documentation](https://zepworks.com/deepdiff/8.6.1/)**
 
 ## What is new?
 
 Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
 
+DeepDiff 8-6-1
+- Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
 DeepDiff 8-6-0
 
 - Added Colored View thanks to @mauvilsa 

diff --git a/deepdiff/__init__.py b/deepdiff/__init__.py
@@ -1,6 +1,6 @@
 """This module offers the DeepDiff, DeepSearch, grep, Delta and DeepHash classes."""
 # flake8: noqa
-__version__ = '8.6.0'
+__version__ = '8.6.1'
 import logging
 
 if __name__ == '__main__':

diff --git a/docs/authors.rst b/docs/authors.rst
@@ -117,6 +117,7 @@ and polars support.
   limit when hashing numpy.datetime64
 - `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
   setuptools use to pyproject.toml
+- `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
 
 
 .. _Sep Dehpour (Seperman): http://www.zepworks.com

diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -5,6 +5,9 @@ Changelog
 
 DeepDiff Changelog
 
+- v8-6-1
+   - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
 - v8-6-0
    - Added Colored View thanks to @mauvilsa
    - Added support for applying deltas to NamedTuple thanks to @paulsc

diff --git a/docs/conf.py b/docs/conf.py
@@ -64,9 +64,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '8.6.0'
+version = '8.6.1'
 # The full version, including alpha/beta/rc tags.
-release = '8.6.0'
+release = '8.6.1'
 
 load_dotenv(override=True)
 DOC_VERSION = os.environ.get('DOC_VERSION', version)

diff --git a/docs/index.rst b/docs/index.rst
@@ -4,7 +4,7 @@
    contain the root `toctree` directive.
 
 
-DeepDiff 8.6.0 documentation!
+DeepDiff 8.6.1 documentation!
 =============================
 
 *******
@@ -31,6 +31,12 @@ The DeepDiff library includes the following modules:
 What Is New
 ***********
 
+DeepDiff 8-6-1
+--------------
+
+    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).
+
+
 DeepDiff 8-6-0
 --------------
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi"
 
 [project]
 name = "deepdiff"
-version = "8.6.0"
+version = "8.6.1"
 dependencies = [
   "orderly-set>=5.4.1,<6",
 ]

diff --git a/uv.lock b/uv.lock