CVE-2022-35411

CRITICAL

rpc.py < 0.6.0 - Unauthenticated Remote Code Execution via Pickle Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2022-35411. PoCs published by Elias Hohl, CSpanias, fuzzlove.

AI-analyzed exploit summary This exploit leverages insecure deserialization in rpc.py (versions 0.4.2 to 0.6.0) by sending a malicious pickle payload to execute arbitrary commands. The payload abuses Python's pickle deserialization to trigger `os.system` with attacker-controlled input.

Description

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

Exploits (5)

exploitdb WORKING POC
by Elias Hohl · pythonremotepython
https://www.exploit-db.com/exploits/50983

This exploit leverages insecure deserialization in rpc.py (versions 0.4.2 to 0.6.0) by sending a malicious pickle payload to execute arbitrary commands. The payload abuses Python's pickle deserialization to trigger `os.system` with attacker-controlled input.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: rpc.py v0.4.2 - v0.6.0
No auth needed
Prerequisites: Network access to the target service · Target service running with vulnerable rpc.py version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by CSpanias · poc
https://github.com/CSpanias/rpc-rce.py

This repository contains a functional exploit for CVE-2022-35411, targeting unauthenticated RCE in rpc.py via unsafe pickle deserialization. The exploit includes a reverse shell payload and a dry-run mode for testing.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: rpc.py <= 0.6.0
No auth needed
Prerequisites: Python 3.x · requests library · vulnerable rpc.py server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by fuzzlove · poc
https://github.com/fuzzlove/CVE-2022-35411

This repository contains a functional exploit for CVE-2022-35411, leveraging insecure deserialization in rpc.py versions 0.4.2 to 0.6.0. The exploit uses Python's pickle module to craft a malicious payload that achieves remote code execution (RCE) via the 'serializer' header.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: rpc.py v0.4.2 - v0.6.0
No auth needed
Prerequisites: Network access to the target service · Target service running rpc.py with vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Neo-okami · poc
https://github.com/Neo-okami/CVE-2022-35411

This repository contains a functional exploit for CVE-2022-35411, targeting a deserialization vulnerability in rpc.py versions 0.4.2 to 0.6.0. The exploit leverages Python's pickle deserialization to achieve unauthenticated remote code execution (RCE) by sending a crafted payload to the vulnerable endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: rpc.py v0.4.2 - v0.6.0
No auth needed
Prerequisites: Network access to the target service · Target service running rpc.py with vulnerable version
devstral-2 · analyzed Feb 26, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.4586
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-522
Status published
Products (2)
pypi/rpc.py 0.4.2PyPI
rpc.py_project/rpc.py 0.4.2 - 0.6.0
Published Jul 08, 2022
Tracked Since Feb 18, 2026