5 matches found
CVE-2025-62703
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework...
CVE-2025-62703 Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework...
CVE-2025-62703
CVE-2025-62703 affects Fugue up to version 0.9.2, where the RPC server’s FlaskRPCServer decodes data with cloudpickle.loads() without sanitization, enabling remote code execution through crafted pickle payloads. The issue lies in the _decode() function in fugue/rpc/flask.py, allowing deserializat...
CVE-2025-62703 Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework...
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the decode function in fugue/rpc/flask.py directly uses cloudpickle.loads to deserialize data without any sanitization. This...