Description
PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote Command Execution (RCE). This vulnerability arises because PyMOL treats .PYM files as Python scripts without properly validating or restricting the commands within the script, enabling attackers to run unauthorized commands in the context of the user running the application.
References (3)
Core 3
Core References
Various Sources
https://youtu.be/SWnN_a1tUNc
Issue Tracking
https://github.com/schrodinger/pymol-open-source/issues/405
Scores
CVSS v3
9.8
EPSS
0.0696
EPSS Percentile
91.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Published
Nov 11, 2024
Tracked Since
Feb 18, 2026