CVE-2025-56005
CriticalCVSS 9.8Exploitation Probability (EPSS)
Very high risk97th percentile - higher than 97% of all known CVEs
Summary
The PLY (Python Lex-Yacc) library version 3.11 contains an undocumented and unsafe feature in the `picklefile` parameter of the `yacc()` function, allowing Remote Code Execution (RCE) via deserialization of a malicious `.pkl` file without validation. An attacker can exploit this to execute arbitrary code, posing a backdoor and persistence risk.
Risk Assessment
The risk for the organization is the potential for remote takeover of systems using the vulnerable PLY library, leading to data theft, malware installation, or permanent system compromise.
Recommendation
It is recommended to immediately update the PLY library to the latest available version that fixes this vulnerability and avoid using the `picklefile` parameter in the `yacc()` function. Conduct a code audit to identify potential exploits.
Original NVD description (English source)
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.

