CVE-2022-35411

Name of the Vulnerable Software and Affected Versions rpc.py versions through 0.6.0

Description The issue allows Remote Code Execution because an unpickle occurs when the serializer: pickle HTTP header is sent. Although JSON is the default data format, an unauthenticated client can cause the data to be processed with unpickle. The maintainer notes that rpc.py is not designed for an API open to the outside world, and external requests cannot reach rpc.py in real-world use.

Recommendations For versions through 0.6.0, as a temporary workaround, consider deleting PickleSerializer from SERIALIZER NAMES and SERIALIZER TYPES to turn off pickle, using the following code:

del SERIALIZER NAMES[PickleSerializer.name]
del SERIALIZER TYPES[PickleSerializer.content type]

A fix exists on the master branch.