CVE-2025-62515
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do_action() method. The vulnerable code is located in pyquokka/flight.py at line 283 where arbitrary data from Flight clients is directly passed to pickle.loads(). When FlightServer is configured to listen on 0.0.0.0, this allows attackers across the entire network to perform arbitrary remote code execution by sending malicious pickled payloads through the set_configs action. Additional vulnerability points exist in the cache_garbage_collect, do_put, and do_get functions where pickle.loads is used to deserialize untrusted remote data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-10-21
Generated
2026-05-06
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62515
EUVD
EUVD-2025-34900
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
marsupialtail pyquokka 0.3.1
marsupialtail pyquokka 0.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a critical remote code execution flaw in the pyquokka framework's FlightServer class. It occurs because the do_action() method unsafely deserializes data received from Flight clients using Python's pickle.loads() without any sanitization or validation. Attackers can send malicious pickled payloads that execute arbitrary code on the server, especially when FlightServer listens on all network interfaces (0.0.0.0). Additional vulnerable points exist in other methods that also deserialize untrusted data with pickle.loads(). [1]


How can this vulnerability impact me? :

This vulnerability allows attackers to remotely execute arbitrary code on the server running the vulnerable pyquokka FlightServer. This can lead to full system compromise, including data exfiltration, lateral movement within the network, denial of service, and installation of persistent backdoors. The impact is critical with high confidentiality, integrity, and availability consequences. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring network traffic for suspicious Flight client requests, especially those targeting the FlightServer on port 5005 (or configured port) with action type 'set_configs'. You can use network capture tools like tcpdump or Wireshark to capture and analyze traffic to the FlightServer. Additionally, inspecting logs for unexpected or malformed pickle payloads or unusual activity in the FlightServer logs may help. There is no specific command provided for detection, but monitoring connections to FlightServer bound on 0.0.0.0 and analyzing payloads for pickle deserialization attempts is recommended. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Binding the FlightServer to localhost (127.0.0.1) instead of 0.0.0.0 to restrict access to local clients only. 2) Implement authentication and authorization controls to prevent unauthorized access. 3) Replace unsafe pickle.loads() deserialization with safer alternatives such as JSON, Protocol Buffers, or MessagePack. 4) If pickle must be used, implement a custom Unpickler that restricts allowed classes via find_class(). 5) Upgrade pyquokka to version 0.3.2 or later where the vulnerability is patched. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart