Submit #593099: Upsonic <=v0.55.6 Deserializationinfo

Titel	Upsonic <=v0.55.6 Deserialization
Beschreibung	When user is runing Upsonic, attacker via /tools/add_tool to achieve RCE by sending carefully crafted data. Because cloudpickle.loads(decoded_function) function is Unsafe Deserialization
Quelle	⚠️ https://github.com/Upsonic/Upsonic/issues/353
Benutzer	Anonymous User
Einreichung	09.06.2025 10:56 (vor 10 Monaten)
Moderieren	19.06.2025 08:53 (10 days later)
Status	Akzeptiert
VulDB Eintrag	313283 [Upsonic bis 0.55.6 Pickle /tools/add_tool cloudpickle.loads erweiterte Rechte]
Punkte	16

Do you need the next level of professionalism?

Upgrade your account now!