Critical Vulnerability in Python PLY Library Enables Remote Code Execution

Posted on By CWS

A crucial vulnerability has been recognized within the PyPI-distributed model of PLY (Python Lex-Yacc) 3.11, permitting arbitrary code execution by way of unsafe deserialization of untrusted pickle recordsdata.

The vulnerability, assigned CVE-2025-56005, impacts the undocumented picklefile parameter within the yacc() perform, which stays absent from official documentation regardless of being current within the manufacturing launch.

The vulnerability stems from the yacc(picklefile=…) parameter invoking pickle.load() on attacker-controlled recordsdata with out validation.

Python’s pickle module inherently helps arbitrary code execution throughout deserialization by way of the __reduce__() technique, enabling malicious payloads to execute system instructions earlier than parser initialization happens.

This presents a singular danger profile as a result of the code execution occurs silently throughout software startup, earlier than any parsing logic is reached.

The vulnerability is especially harmful in environments the place parser tables are cached on disk, shared between companies, or generated in CI/CD pipelines.

Exploitation turns into potential when attackers can management, change, or affect the pickle file path, equivalent to:

Space / ComponentDescriptionCached parser desk locationsLocations the place parser tables are saved locallyShared community directoriesNetwork-accessible shared foldersCI/CD pipeline artifactsBuild and deployment output filesConfigurable or writable file pathsApplication-defined writable paths

The vulnerability may be demonstrated by way of a malicious pickle payload that executes system instructions throughout deserialization.

When yacc(picklefile=’exploit.pkl’) masses a crafted pickle file containing serialized objects with embedded __reduce__() strategies, arbitrary code execution is assured earlier than the parser turns into operational.

In line with the advisory, organizations ought to instantly implement the next mitigations:

Keep away from utilizing the picklefile parameter with untrusted or externally writable recordsdata. Disable loading parser tables from user-controlled places.

Deal with all pickle recordsdata as doubtlessly unsafe enter. Regenerate parser tables dynamically somewhat than loading from disk.

Builders ought to replace functions that use PLY 3.11 and audit configurations for potential publicity by way of the undocumented parameter.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Women’s Dating App Tea Exposes Selfie Images of 13,000 Users Cyber Security News
Ransomware Targeting Hyper-V and VMware ESXi Surges as Akira Group Exploits System Vulnerabilities Cyber Security News
New Report on Commercial Spyware Vendors Detailing Their Targets and Infection Chains Cyber Security News
New GhostFrame Super Stealthy Phishing Kit Attacks Millions of Users Worldwide Cyber Security News
SpyCloud Unveils Top 10 Cybersecurity Predictions Poised to Disrupt Identity Security in 2026 Cyber Security News
Hackers Compromised Official Gaming Mouse Software to Deliver Windows-based Xred Malware Cyber Security News