CVE-2024-27758: Core Netref Py Cwe 000 Cve 2024 27758

The `__array__` magic method was unconditionally defined on Netref objects. This allows an attacker-controlled network response to trigger arbitrary code execution via `pickle.loads()` when `numpy.array()` or property accesses query the object locally.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0python

greprules fetch cve-2024-27758-core-netref-py-cwe-000-cve-2024-27758 --engine opengrep

Description

The `__array__` magic method was unconditionally defined on Netref objects. This allows an attacker-controlled network response to trigger arbitrary code execution via `pickle.loads()` when `numpy.array()` or property accesses query the object locally.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 109 downloads
0 direct109 via packs
· 0 stars · Trust score 53How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata