CVE-2025-5174

MEDIUM

Erdogant Pypickle < 2.0.0 - Insecure Deserialization

Title source: rule

Description

A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Affected by this issue is the function load of the file pypickle/pypickle.py. The manipulation leads to deserialization. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 14b4cae704a0bb4eb6723e238f25382d847a1917. It is recommended to upgrade the affected component.

References (7)

[Patch] https://github.com/erdogant/pypickle/commit/14b4cae704a0bb4eb6723e238f25382d847a1917

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/erdogant/pypickle/issues/2

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/erdogant/pypickle/issues/2#issuecomment-2889146579

[Release Notes] https://github.com/erdogant/pypickle/releases/tag/2.0.0

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.310262

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.310262

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.579157

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (2)

erdogant/pypickle < 2.0.0

pypi/pypickle < 2.0.0PyPI

Timeline

Published May 26, 2025

Tracked Since Feb 18, 2026