CVE-2025-56005
published 2026-01-20CVE-2025-56005: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()`…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
16.90%
96.7th percentile
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dabeaz | ply | — | — |
| debian | ply | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for use of the undocumented `picklefile` parameter in calls to the `yacc()` function within PLY (Python Lex-Yacc) library version 3.11 ↗
- →Detect deserialization of `.pkl` files via `pickle.load()` without validation, especially when invoked from PLY's yacc module ↗
- →Alert on pickle files containing `__reduce__()` method implementations being loaded by PLY, as this is the mechanism for embedding malicious code execution payloads ↗
- →Investigate attack vectors that allow an attacker to supply or modify a pickle file loaded by PLY, including shared directory race conditions, configuration injection, supply chain compromise, file upload, or path traversal vulnerabilities ↗
- ·The vulnerable `picklefile` parameter is undocumented and only present in the PyPI-distributed version of PLY 3.11; it is not mentioned in official documentation or the GitHub repository, making it a stealthy attack surface ↗
- ·Exploitation is conditional: the target application must explicitly use the undocumented `picklefile` parameter AND the attacker must be able to influence which pickle file is loaded; this is not universally exploitable ↗
- ·A third-party disputes this CVE, stating the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully ↗
- ·The `python-ply` package itself is marked 'Not affected' on RHEL 7, 8, 9, and 10; affected packages are downstream consumers that bundle PLY ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-56005: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3
osv·2026-01-20·CVSS 9.8
CVE-2025-56005 [CRITICAL] CVE-2025-56005: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
GHSA
GHSA-qc6m-pwr3-g72p: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3
ghsa_unreviewed·2026-01-20
CVE-2025-56005 [CRITICAL] CWE-502 GHSA-qc6m-pwr3-g72p: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
Red Hat
ply: python-ply: Unsafe pickle file handling in Ply
vendor_redhat·2026-01-20·CVSS 9.8
CVE-2025-56005 [CRITICAL] CWE-502 ply: python-ply: Unsafe pickle file handling in Ply
ply: python-ply: Unsafe pickle file handling in Ply
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails
Debian
CVE-2025-56005: ply - An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 all...
vendor_debian·2025·CVSS 9.8
CVE-2025-56005 [CRITICAL] CVE-2025-56005: ply - An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 all...
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Scope: local
bookworm: ope
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-56005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-56005 [CRITICAL] CVE-2025-56005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-56005 :
NixOS vulnerability analysis and mitigation
picklefile
yacc()
.pkl
pickle.load()
pickle
__reduce__()
Wiz Threat Research note: This vulnerability's CVSS vector has been overridden to Attack Vector LOCAL by the Wiz Research team, as pickle files must be loaded on the host itself.
Source : NVD
## 9.8
Score
Published January 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
NixOS
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 76.3
Exploitation Probability (EPSS) 0.9
Affected packages and libraries
pypy3.10-libs-debuginfo
pypy3.11-test
Sources
NVD
Debian 11, 12, 13, 14 Severity LOW No Fix Added at: Jan 26, 2026
Echo Severity CR
Bugzilla
CVE-2025-56005 ply: python-ply: Unsafe pickle file handling in Ply
bugzilla·2026-01-20·CVSS 9.8
CVE-2025-56005 [CRITICAL] CVE-2025-56005 ply: python-ply: Unsafe pickle file handling in Ply
CVE-2025-56005 ply: python-ply: Unsafe pickle file handling in Ply
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
https://github.com/bohmiiidd/Undocumented-RCE-in-PLYhttps://github.com/bohmiiidd/Undocumument_RCE_PLY-yacc-CVE-2025-56005https://github.com/tom025/ply_exploit_rejectionhttps://github.com/tom025/ply_exploit_rejection/issues/1http://www.openwall.com/lists/oss-security/2026/01/23/4http://www.openwall.com/lists/oss-security/2026/01/23/5http://www.openwall.com/lists/oss-security/2026/01/28/5http://www.openwall.com/lists/oss-security/2026/01/29/1http://www.openwall.com/lists/oss-security/2026/01/29/2http://www.openwall.com/lists/oss-security/2026/01/30/1https://access.redhat.com/security/cve/CVE-2025-56005https://bugzilla.redhat.com/show_bug.cgi?id=2431308https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-56005.json
2026-01-20
Published