Abersheeran

**Name of the Vulnerable Software and Affected Versions** rpc.py versions through 0.6.0 **Description** The issue allows Remote Code Execution because an unpickle occurs when the `serializer: pickle` HTTP header is sent. Although JSON is the default data format, an unauthenticated client can cause the data to be processed with unpickle. The maintainer notes that rpc.py is not designed for an API open to the outside world, and external requests cannot reach rpc.py in real-world use. **Recommendations** For versions through 0.6.0, as a temporary workaround, consider deleting `PickleSerializer` from `SERIALIZER NAMES` and `SERIALIZER TYPES` to turn off pickle, using the following code: ``` del SERIALIZER NAMES[PickleSerializer.name] del SERIALIZER TYPES[PickleSerializer.content type] ``` A fix exists on the `master` branch.