Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260130210336.rbloiah3sbpel5zv@jwilk.net>
Date: Fri, 30 Jan 2026 22:03:36 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-56005 Undocumented RCE in PLY via
 `picklefile` Parameter

TL;DR: CVE-2025-56005 is a nothingburger.

* Alan Coopersmith <alan.coopersmith@...cle.com>, 2026-01-23 11:06:
>https://github.com/bohmiiidd/Undocumented-RCE-in-PLY claims:
>
>>Undocumented Remote Code Execution in PLY CVE-2025-56005

Calling this "remote" is nonsense. Such sensationalism makes me doubt 
this advisory was written in good faith.

>>The `picklefile` parameter causes PLY to deserialize a `.pkl` file 
>>using Python’s `pickle.load()` **without validation**.

The content of the pickle influences how the input is parsed, so if an 
attacker had control over that, it would be a vulnerability in the 
program using PLY, regardless of how safe the deserialization is.

I don't see unconstrained unpickling as a vulnerability in PLY; it's 
just a missing hardening opportunity.

>>This parameter is *not documented* in the official PLY documentation 
>>or GitHub repository,

It's documented in the CHANGES file:

>Added a new picklefile option to yacc() to write the parsing tables to 
>a filename using the pickle module. Here is how it works:
>
>    yacc(picklefile="parsetab.p")
>
>This option can be used if the normal parsetab.py file is extremely 
>large. For example, on jython, it is impossible to read parsing tables 
>if the parsetab.py exceeds a certain threshold.
>
>The filename supplied to the picklefile option is opened relative to 
>the current working directory of the Python interpreter. If you need to 
>refer to the file elsewhere, you will need to supply an absolute or 
>relative path.

(How come we're worried about backdoors in the pickle, but not in 
parsetab.py?)

OK, I do see a weakness in the API here: Putting the pickle in cwd (as 
the example hints) is a bad idea, and some people might be tempted to 
put them in /tmp, which is much worse. In contrast, parsetab.py is 
written into the same directory as the parser module, which is fine.


PS: I was curious if there's any real-world software that makes use of 
this parameter, but to my surprise I found one! Well, not really:

https://github.com/mozilla-firefox/firefox/commit/2a95ef8f868f00e6
self.parser = yacc.yacc(module=self,
                         outputdir=outputdir,
                         tabmodule='webidlyacc',
                         errorlog=yacc.NullLogger()
                         # Pickling the grammar is a speedup in
                         # some cases (older Python?) but a
                         # significant slowdown in others.
                         # We're not pickling for now, until it
                         # becomes a speedup again.
                         # , picklefile='WebIDLGrammar.pkl'
                     )

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.