CVE-2025-6279

MEDIUM

Upsonic <0.55.6 - Deserialization

Title source: llm

Description

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used.

References (4)

[Exploit, Issue Tracking] https://github.com/Upsonic/Upsonic/issues/353

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.313283

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.313283

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.593099

Scores

CVSS v3 5.5

EPSS 0.0007

EPSS Percentile 22.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (2)

upsonic/upsonic < 0.55.6

pypi/upsonic < 0.56.0PyPI

Timeline

Published Jun 19, 2025

Tracked Since Feb 18, 2026