CVE-2025-62515

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...

Exploit for CVE-2025-62515

pyquokka-rce-poc !GitHub starshttps://img.shields.io/gith...

CVE-2025-62515

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...

CVE-2025-62515 Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...

CVE-2025-62515 Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...

CVE-2025-62515

CVE-2025-62515 affects pyquokka ≤ 0.3.1. The FlightServer’s do_action() deserializes untrusted data with Python’s unsafe pickle.loads(), specifically in pyquokka/flight.py around line 283, enabling arbitrary remote code execution when the server is exposed (e.g., binding to 0.0.0.0) and handling ...

EUVD-2025-34900

pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer...