CVE-2025-62373: Python Pickle Loads On Untrusted Deserialize Input

`pickle.loads()` is invoked on bytes received as a parameter of a `deserialize()` method (typically a FrameSerializer / wire-format deserializer that receives data from WebSocket / network peers). Python's pickle module executes arbitrary code embedded in the stream via opcodes such as REDUCE / `__reduce__`, so unpickling attacker-controlled data is equivale

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0python

greprules fetch cve-2025-62373-python-pickle-loads-on-untrusted-deserialize-input --engine opengrep

Description

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 109 downloads
0 direct109 via packs
· 0 stars · Trust score 95How trust works
Included packs: 2 packs

Community feedback

Mark useful Report false positive Suggest metadata