CVE-2020-13091

Name of the Vulnerable Software and Affected Versions pandas versions 1.0.0 through 1.0.3

Description The issue allows untrusted files passed to the read pickle() function to potentially unserialize and execute commands, specifically if reduce makes an os.system call. It is noted that the read pickle() function is documented as unsafe, and users are responsible for using it securely. There is a dispute regarding this issue from third parties.

Recommendations For versions 1.0.0 through 1.0.3, consider avoiding the use of untrusted files with the read pickle() function until a secure approach is implemented. As a temporary workaround, restrict the use of files that could potentially make os.system calls through the reduce method. At the moment, there is no information about a newer version that contains a fix for this vulnerability.