Critical Vulnerability in Python PLY Library Enables Remote Code Execution
A significant security flaw has been discovered in version 3.11 of the Python Lex-Yacc (PLY) library, distributed via the Python Package Index (PyPI). This vulnerability, identified as CVE-2025-56005, allows for arbitrary code execution through the unsafe deserialization of untrusted pickle files.
Understanding the Vulnerability
The core of this issue lies in the `yacc()` function’s undocumented `picklefile` parameter. Despite its absence from official documentation, this parameter is present in the production release and poses a significant risk. When the `yacc(picklefile=…)` function is invoked, it calls `pickle.load()` on files specified by the user without proper validation.
Python’s `pickle` module is inherently capable of executing arbitrary code during deserialization through the `__reduce__()` method. This means that if an attacker crafts a malicious pickle file containing such a method, they can execute system commands before the parser is even initialized. This silent execution during application startup makes the vulnerability particularly insidious.
Potential Impact
The vulnerability is especially concerning in environments where parser tables are:
– Cached on disk
– Shared between services
– Generated within Continuous Integration/Continuous Deployment (CI/CD) pipelines
Exploitation becomes feasible when attackers can control, replace, or influence the path to the pickle file. Specific areas of concern include:
– Cached Parser Table Locations: Local storage areas where parser tables are saved.
– Shared Network Directories: Network-accessible folders shared among multiple services or users.
– CI/CD Pipeline Artifacts: Files produced during build and deployment processes.
– Configurable or Writable File Paths: Paths defined by the application that are writable and potentially accessible to unauthorized users.
Demonstration of Exploitation
To illustrate the risk, consider a scenario where a malicious pickle payload is created to execute system commands during deserialization. By loading a crafted pickle file containing serialized objects with embedded `__reduce__()` methods using `yacc(picklefile=’exploit.pkl’)`, arbitrary code execution occurs before the parser becomes operational.
Recommended Mitigation Strategies
Organizations and developers utilizing PLY 3.11 should take immediate action to mitigate this vulnerability:
1. Avoid Using the `picklefile` Parameter with Untrusted Files: Ensure that the `picklefile` parameter is not used with files that are untrusted or externally writable.
2. Disable Loading Parser Tables from User-Controlled Locations: Prevent the application from loading parser tables from locations that can be influenced or controlled by users.
3. Treat All Pickle Files as Potentially Unsafe: Given the inherent risks associated with the `pickle` module, it’s prudent to consider all pickle files as potentially unsafe.
4. Regenerate Parser Tables Dynamically: Instead of loading parser tables from disk, regenerate them dynamically to ensure they haven’t been tampered with.
5. Audit Configurations for Potential Exposure: Review application configurations to identify and rectify any potential exposure through the undocumented `picklefile` parameter.
Conclusion
The discovery of CVE-2025-56005 in the PLY 3.11 library underscores the critical importance of validating and sanitizing inputs, especially when dealing with deserialization processes. Developers and organizations must remain vigilant, promptly updating and auditing their applications to safeguard against such vulnerabilities.
