PT-2026-53595 · Pypi · Rpc.Py
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Per the maintainer, rpc.py is not designed for an API that is open to the outside world, and external requests cannot reach rpc.py in real world use.
A fix exists on the
master branch. As a workaround, use the following code to turn off pickle in older versions:del SERIALIZER NAMES[PickleSerializer.name]
del SERIALIZER TYPES[PickleSerializer.content type]Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Rpc.Py