CVE-2025-5175

MEDIUM

erdogant pypickle < 2.0.0 - Improper Authorization in Save Function

Title source: llm

Description

A vulnerability was found in erdogant pypickle up to 1.1.5. It has been classified as critical. This affects the function Save of the file pypickle/pypickle.py. The manipulation leads to improper authorization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named 14b4cae704a0bb4eb6723e238f25382d847a1917. It is recommended to upgrade the affected component.

References (8)

Core 8

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.310263

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.310263

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.579824

Exploit, Issue Tracking, Vendor Advisory issue-tracking

https://github.com/erdogant/pypickle/issues/3

Exploit, Issue Tracking, Vendor Advisory issue-tracking

https://github.com/erdogant/pypickle/issues/3#issuecomment-2888589652

Exploit, Issue Tracking, Vendor Advisory exploit issue-tracking

https://github.com/erdogant/pypickle/issues/3#issue-3070689116

Patch patch

https://github.com/erdogant/pypickle/commit/14b4cae704a0bb4eb6723e238f25382d847a1917

View Patch ZIP pw:eip

Release Notes patch

https://github.com/erdogant/pypickle/releases/tag/2.0.0

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 21.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-285

Status published

Products (2)

erdogant/pypickle < 2.0.0

pypi/pypickle 0 - 2.0.0PyPI

Published May 26, 2025

Tracked Since Feb 18, 2026