FKIE_CVE-2025-56005

Vulnerability from fkie_nvd - Published: 2026-01-20 19:15 - Updated: 2026-06-30 03:16
Summary
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Impacted products
Vendor Product Version
dabeaz ply 3.11

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "source": "cve@mitre.org"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:/a:redhat:rhmt:1"
          ],
          "defaultStatus": "affected",
          "product": "Migration Toolkit for Containers",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_virtualization:2"
          ],
          "defaultStatus": "affected",
          "product": "Migration Toolkit for Virtualization",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:ocp_tools"
          ],
          "defaultStatus": "affected",
          "product": "OpenShift Developer Tools and Services",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_pipelines:1"
          ],
          "defaultStatus": "affected",
          "product": "OpenShift Pipelines",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:advanced_cluster_security:4"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Advanced Cluster Security 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:ceph_storage:7"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Ceph Storage 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:ceph_storage:8"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Ceph Storage 8",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:certifications:9"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Certification Program for Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:directory_server:13"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Directory Server 13",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:enterprise_linux_ai:3"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_gitops:1"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenShift GitOps",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openstack:13"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenStack Platform 13 (Queens)",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openstack:16.2"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenStack Platform 16.2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openstack:17.1"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenStack Platform 17.1",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openstack:18.0"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenStack Platform 18.0",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:quay:3"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Quay 3",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:workload_availability_far:0"
          ],
          "defaultStatus": "unaffected",
          "product": "Fence Agents Remediation Operator",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:service_mesh:2"
          ],
          "defaultStatus": "unaffected",
          "product": "OpenShift Service Mesh 2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:service_mesh:3"
          ],
          "defaultStatus": "unaffected",
          "product": "OpenShift Service Mesh 3",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:ansible_core:2"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Ansible Automation Platform Ansible Core 2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_data_foundation:4"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Openshift Data Foundation 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:stf:1.5"
          ],
          "defaultStatus": "unaffected",
          "product": "Service Telemetry Framework 1.5",
          "vendor": "Red Hat"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dabeaz:ply:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "278FED9B-7970-410E-B5F5-C87B229441CC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully."
    },
    {
      "lang": "es",
      "value": "Una caracter\u00edstica indocumentada e insegura en la librer\u00eda PLY (Python Lex-Yacc) 3.11 permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s del par\u00e1metro \u0027picklefile\u0027 en la funci\u00f3n \u0027yacc()\u0027. Este par\u00e1metro acepta un archivo .pkl que se deserializa con \u0027pickle.load()\u0027 sin validaci\u00f3n. Debido a que \u0027pickle\u0027 permite la ejecuci\u00f3n de c\u00f3digo incrustado a trav\u00e9s de \u0027__reduce__()\u0027, un atacante puede lograr la ejecuci\u00f3n de c\u00f3digo pasando un archivo pickle malicioso. El par\u00e1metro no se menciona en la documentaci\u00f3n oficial ni en el repositorio de GitHub, sin embargo, est\u00e1 activo en la versi\u00f3n de PyPI. Esto introduce una puerta trasera sigilosa y un riesgo de persistencia. NOTA: Un tercero afirma que esta vulnerabilidad deber\u00eda ser rechazada porque la prueba de concepto no demuestra la ejecuci\u00f3n de c\u00f3digo arbitrario y no se completa con \u00e9xito."
    }
  ],
  "id": "CVE-2025-56005",
  "lastModified": "2026-06-30T03:16:52.847",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-56005",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-20T18:47:19.926886Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-20T19:15:49.247",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/bohmiiidd/Undocumented-RCE-in-PLY"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/bohmiiidd/Undocumument_RCE_PLY-yacc-CVE-2025-56005"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/tom025/ply_exploit_rejection"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/tom025/ply_exploit_rejection/issues/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/23/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/23/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/28/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/29/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/29/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/30/1"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/security/cve/CVE-2025-56005"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431308"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-56005.json"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…