CVE-2013-5093

Graphite 0.9.5-0.9.10 - Remote Code Execution via Unsafe Pickle Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-5093. PoCs published by Metasploit, Charlie Eriksen, funkypickle, including Metasploit module exploits/unix/webapp/graphite_pickle_exec.

AI-analyzed exploit summary This Metasploit module exploits a remote code execution vulnerability in Graphite Web (versions 0.9.5 to 0.9.10) by sending a malicious pickle payload via HTTP POST to the 'render' endpoint. The payload leverages Python's pickle deserialization to execute arbitrary commands.

Description

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/27752

View Code ZIP pw:eip

This Metasploit module exploits a remote code execution vulnerability in Graphite Web (versions 0.9.5 to 0.9.10) by sending a malicious pickle payload via HTTP POST to the 'render' endpoint. The payload leverages Python's pickle deserialization to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Graphite Web 0.9.5 to 0.9.10

No auth needed

Prerequisites: Network access to the Graphite Web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Charlie Eriksen, funkypickle · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb