CVE-2025-56005

Published Jan 20, 2026

Last updated 5 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-56005 describes an undocumented and unsafe feature found in version 3.11 of the PLY (Python Lex-Yacc) library. This vulnerability enables Remote Code Execution (RCE) through the `picklefile` parameter within the `yacc()` function. The `picklefile` parameter accepts and deserializes a `.pkl` file without proper validation. Attackers can exploit this by providing a malicious pickle file, as the `pickle` module is capable of executing embedded code via its `__reduce__()` method. This parameter is not mentioned in the official documentation or the GitHub repository for PLY, yet it remains active in the PyPI version, potentially introducing a stealthy backdoor and persistence risk.

Description: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
Source: cve@mitre.org
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-502

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 8

References