Submit #593099: Upsonic <=v0.55.6 Deserializationinfo

Title	Upsonic <=v0.55.6 Deserialization
Description	When user is runing Upsonic, attacker via /tools/add_tool to achieve RCE by sending carefully crafted data. Because cloudpickle.loads(decoded_function) function is Unsafe Deserialization
Source	⚠️ https://github.com/Upsonic/Upsonic/issues/353
User	Anonymous User
Submission	06/09/2025 10:56 (10 months ago)
Moderation	06/19/2025 08:53 (10 days later)
Status	Accepted
VulDB entry	313283 [Upsonic up to 0.55.6 Pickle /tools/add_tool cloudpickle.loads deserialization]
Points	16

Do you want to use VulDB in your project?

Use the official API to access entries easily!