CVE Catalog

CVE-2025-56005

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
16.90%

97th percentile - higher than 97% of all known CVEs

Summary

The PLY (Python Lex-Yacc) library version 3.11 contains an undocumented and unsafe feature in the `picklefile` parameter of the `yacc()` function, allowing Remote Code Execution (RCE) via deserialization of a malicious `.pkl` file without validation. An attacker can exploit this to execute arbitrary code, posing a backdoor and persistence risk.

Risk Assessment

The risk for the organization is the potential for remote takeover of systems using the vulnerable PLY library, leading to data theft, malware installation, or permanent system compromise.

Recommendation

It is recommended to immediately update the PLY library to the latest available version that fixes this vulnerability and avoid using the `picklefile` parameter in the `yacc()` function. Conduct a code audit to identify potential exploits.

Original NVD description (English source)

An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS