PT-2025-45704 · Pypi · Scapy

Publicado

2025-10-22

·

Atualizado

2025-10-22

CVSS v4.0

5.4

Média

VetorAV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code when a malicious session file is locally loaded via the -s option. This requires convincing a user to manually load a malicious session file.

Details

Scapy’s interactive shell supports session loading using gzip-compressed pickle files:
bash
./run scapy -s <session file.pkl.gz>
Internally, this triggers:
python
# main.py
SESSION = pickle.load(gzip.open(session name, "rb"))
Since no validation or restriction is performed on the deserialized object, any code embedded via reduce () will be executed immediately. This makes it trivial for an attacker to drop a malicious .pkl.gz in a shared folder and have it executed by unsuspecting users.
The vulnerability exists in the load session function, which deserializes data using pickle.load() on .pkl.gz files provided via the -s CLI flag or programmatically through conf.session.
Affected lines in source code: https://github.com/secdev/scapy/blob/master/scapy/main.py#L569-L572
python
try:
  s = pickle.load(gzip.open(fname, "rb"))
except IOError:
  try:
    s = pickle.load(open(fname, "rb"))

Impact

This is a classic deserialization vulnerability which leads to Code Execution (CE) when untrusted data is deserialized.
Any user who can trick another user into loading a crafted .pkl.gz session file (e.g. via -s option) can execute arbitrary Python code.
  • Vulnerability type: Insecure deserialization (Python pickle)
  • CWE: CWE-502: Deserialization of Untrusted Data
  • CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • CVSS Score: 5.4 (Medium)
  • Impact: Arbitrary Code Execution
  • Attack vector: Local or supply chain (malicious .pkl.gz)
  • Affected users: Any user who loads session files (even interactively)
  • Affected version: Scapy v2.6.1

Mitigations

  • Do not use 'sessions' (the -s option when launching Scapy).
  • Use the Scapy 2.7.0+ where the session mechanism has been removed.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

GHSA-CQ46-M9X9-J8W2

Produtos afetados

Scapy