| tiêu đề | erdogant pypickle 1.1.5 Insecure Deserialization |
|---|
| Mô tả | In the repository https://github.com/erdogant/pypickle, the function load() in pypickle.py uses Python’s pickle.load() to deserialize data from a file without validating or sanitizing the input. If an attacker supplies a malicious pickle file, they can execute arbitrary code when the file is loaded, resulting in a Remote Code Execution (RCE) vulnerability.
This occurs because pickle.load() is inherently unsafe for loading untrusted data, as it can deserialize and invoke arbitrary Python objects, including system calls. |
|---|
| Nguồn | ⚠️ https://github.com/erdogant/pypickle/issues/2 |
|---|
| Người dùng | esharmaji (UID 84358) |
|---|
| Đệ trình | 16/05/2025 13:23 (cách đây 11 các tháng) |
|---|
| Kiểm duyệt | 25/05/2025 15:42 (9 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 310262 [erdogant pypickle đến 1.1.5 pypickle/pypickle.py load nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|