Jump to solution
Verify

Celery SecureSerializer fails on certain types and binary serializers (Fix)

Fixed
Spec
Package
Celery
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-11
Own content ratio
0.56
#8981 ai duplicates rate-limit security serialization tls Updated: 2026-02-13
Issue #8981

The Fix

Adds 'data_type' as a new field to the metadata that is saved as part of `SecuredSerializer` serialization, enabling better handling of various data types.

Based on closed celery/celery issue #8981 · PR/commit linked

Production note: This usually shows up under retries/timeouts. Treat it as a side-effect risk until you can verify behavior with a canary + real traffic.

Jump to Verify Open PR/Commit
@@ -29,7 +29,8 @@ def serialize(self, data): with reraise_errors('Unable to serialize: {0!r}', (Exception,)): content_type, content_encoding, body = dumps( - bytes_to_str(data), serializer=self._serializer) + data, serializer=self._serializer) +
repro.py
app.conf.update( security_key='/private/keys/celery/private.key', security_certificate='/private/keys/celery/public.pem', security_cert_store='/private/keys/celery/*.pem') app.setup_security() @app.task def serializer_test_task(arg: Any) -> Any: return arg def test_serialize(data): res = serializer_test_task.delay(data) deserialized_value = res.get() assert deserialized_value == data test_serialize(data=b"foo") # fails to validate signature ############# app.setup_security(serializer="pickle") test_serialize(data="foo") # fails to serialize any value using pickle serializer
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nAdds 'data_type' as a new field to the metadata that is saved as part of `SecuredSerializer` serialization, enabling better handling of various data types.\nWhen NOT to use: Do not use this fix if your application relies on the previous serialization assumptions.\n\n

Why This Fix Works in Production

  • Trigger: SecureSerializer fails on certain types and binary serializers
  • Mechanism: The SecureSerializer fails to handle certain data types due to incorrect assumptions in serialization

Why This Breaks in Prod

  • The SecureSerializer fails to handle certain data types due to incorrect assumptions in serialization
  • Production symptom (often without a traceback): SecureSerializer fails on certain types and binary serializers

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“<!-- Please fill this template entirely and do not erase parts of it. We reserve the right to close without a response bug reports which are incomplete. --> # Checklist <!-- To check an item on the list replace [ ] with [x]. --> - [X] I hav”
Issue thread · issue description · source

Failure Signature (Search String)

  • SecureSerializer fails on certain types and binary serializers
  • - [X] I have included all related issues and possible duplicate issues
Copy-friendly signature
signature.txt
Failure Signature ----------------- SecureSerializer fails on certain types and binary serializers - [X] I have included all related issues and possible duplicate issues

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- SecureSerializer fails on certain types and binary serializers - [X] I have included all related issues and possible duplicate issues

Minimal Reproduction

repro.py
app.conf.update( security_key='/private/keys/celery/private.key', security_certificate='/private/keys/celery/public.pem', security_cert_store='/private/keys/celery/*.pem') app.setup_security() @app.task def serializer_test_task(arg: Any) -> Any: return arg def test_serialize(data): res = serializer_test_task.delay(data) deserialized_value = res.get() assert deserialized_value == data test_serialize(data=b"foo") # fails to validate signature ############# app.setup_security(serializer="pickle") test_serialize(data="foo") # fails to serialize any value using pickle serializer

What Broke

Users experience serialization errors when sending unsupported data types, leading to task failures.

Why It Broke

The SecureSerializer fails to handle certain data types due to incorrect assumptions in serialization

Fix Options (Details)

Option A — Apply the official fix

Adds 'data_type' as a new field to the metadata that is saved as part of `SecuredSerializer` serialization, enabling better handling of various data types.

When NOT to use: Do not use this fix if your application relies on the previous serialization assumptions.

Fix reference: https://github.com/celery/celery/pull/8982

Last verified: 2026-02-11. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if your application relies on the previous serialization assumptions.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Related Issues

No related fixes found.

Cluster: celery:ssl-handshake Celery hub Celery best practices All hubs All clusters
Related clusters: Configuration error Data consistency Duplicates

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #8981. Not affiliated with the library maintainers. Verify before production use.