- Description
- An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
- Source
- cve@mitre.org
- NVD status
- Modified
- CNA Tags
- disputed
- Products
- ply
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-502
- Hype score
- Not currently trending
🚨 CVE-2025-56005 : PYTHON PLY REMOTE CODE EXECUTION VIA PICKLE DESERIALIZATION ALERT 🚨 @PLY A critical deserialization flaw has been identified in PLY (Python Lex-Yacc) 3.11 — allowing unauthenticated remote attackers to achieve arbitrary code execution when
@OstorlabSec
29 Jan 2026
80 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
🚨 Critical RCE Flaw in Python PLY (CVE-2025-56005) Abuses Undocumented Pickle Loading A flaw in the PyPI-distributed PLY 3.11 lets attackers achieve arbitrary code execution when the undocumented `yacc(picklefile=...)` parameter loads an attacker-controlled `.pkl` via
@ThreatSynop
27 Jan 2026
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PythonのPLY(Python Lex-Yacc)ライブラリのバージョン3.11に、リモートで任意のコードが実行される可能性のある重大な脆弱性が発見されました。この脆弱性はCVE-2025-56005として識別されています。
@omomuki_tech
27 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-56005: Python PLY Bug Allows Remote Code Execution #CybersecurityNews #cyashadotcom #RashmikaMandanna https://t.co/ySBgKPBtyv
@cyashadotcom
26 Jan 2026
187 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical Python PLY Flaw (CVE-2025-56005) Enables RCE via Unsafe Pickle Deserialization A critical vulnerability in Python PLY 3.11 allows remote code execution when the undocumented `picklefile` parameter in `ply.yacc.yacc()` loads attacker-controlled `.pkl` parser tables
@ThreatSynop
26 Jan 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
PythonのPLYライブラリに未修正の重大(Critical)な脆弱性。CVE-2025-56005はCVSSスコア9.8で、yacc()関数に文書化されていないパラメータpicklefileがあり、この中身がpickle.load()に渡されることで任意コード実行が成立。プ
@__kokumoto
26 Jan 2026
1491 Impressions
6 Retweets
16 Likes
5 Bookmarks
1 Reply
0 Quotes
Abandoned Python PLY library contains a critical RCE flaw (CVE-2025-56005) via an undocumented "picklefile" parameter. No patch is expected. #Python #CyberSecurity #CVE202556005 #RCE #InfoSec #LegacyCode #PLY #DevSecOps https://t.co/S7VVLOR4xF
@the_yellow_fall
26 Jan 2026
218 Impressions
1 Retweet
1 Like
0 Bookmarks
1 Reply
1 Quote
Top 5 Trending CVEs: 1 - CVE-2026-22812 2 - CVE-2024-37079 3 - CVE-2026-24061 4 - CVE-2025-56005 5 - CVE-2025-5419 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
25 Jan 2026
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-56005: PLY (Python Lex‑Yacc): Undocumented RCE via picklefile Parameter https://t.co/5b0UdwBfbg The PoC: * Defines a minimal lexer and parser * Crafts a malicious pickle payload * Executes a system command during deserialization No further maintenance of PLY is expecte
@oss_security
25 Jan 2026
2404 Impressions
7 Retweets
28 Likes
11 Bookmarks
0 Replies
0 Quotes
A remote code execution vulnerability (CVE-2025-56005) affects PLY due to unsafe deserialization via the picklefile parameter. Review PLY yacc() usage for untrusted input. #Python #Security #RCE https://t.co/56Ygln10CT
@pulsepatchio
21 Jan 2026
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 CVE-2025-56005 - Critical An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter acc... https://t.co/llJnuYzz1Z https://t.co/sqpd4mrpBL
@TheHackerWire
20 Jan 2026
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-56005: CRITICAL] Warning: Unsecured feature in PLY library 3.11 allows Remote Code Execution via `picklefile` parameter in `yacc()` function, supporting malicious code execution. Exercise caution!#cve,CVE-2025-56005,#cybersecurity https://t.co/NwmCrPZDzo https://t.co/sU
@CveFindCom
20 Jan 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dabeaz:ply:3.11:*:*:*:*:*:*:*",
"matchCriteriaId": "278FED9B-7970-410E-B5F5-C87B229441CC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]