CVE-2025-61765

Name of the Vulnerable Software and Affected Versions python-socketio versions prior to 5.14.0

Description python-socketio is a Python implementation of the Socket.IO realtime client and server. A remote code execution issue in python-socketio allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server deployments where the attacker has previously gained access to the message queue used for internal communications. The issue stems from deserialization of messages using Python's pickle.loads() function. An attacker can send a crafted pickle payload that executes arbitrary code during deserialization via Python's reduce method. This vulnerability only affects deployments with a compromised message queue. The attack can lead to the attacker executing random code in the context of, and with the privileges of a Socket.IO server process. Single-server systems that do not use a message queue, and multi-server systems with a secure message queue are not vulnerable.

Recommendations Upgrade to python-socketio version 5.14.0 or newer, which removes the pickle module and uses JSON encoding for inter-server messaging.