CVE-2025-62703

Name of the Vulnerable Software and Affected Versions Fugue versions 0.9.2 and earlier

Description Fugue is a unified interface for distributed computing. A remote code execution issue exists due to insecure deserialization of data using cloudpickle.loads() within the decode() function in fugue/rpc/flask.py. This allows an attacker to execute arbitrary code on a victim's machine by sending malicious pickle data through the RPC server. The vulnerability resides in the RPC communication mechanism, where a client can transmit serialized Python objects that are deserialized on the server side without proper sanitization.

Recommendations Versions prior to 0.9.2 should be updated.