CVE-2025-14606
Remote Deserialization Vulnerability in tiny-rdm Pickle Decoding
Publication date: 2025-12-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tiny-rdm | tiny_rdm | 1.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the tiny-rdm Tiny RDM software up to version 1.2.5, specifically in the pickle.loads function within the pickle_convert.go file. It involves manipulation that leads to unsafe deserialization, which can be exploited remotely. The attack requires a high degree of complexity and is considered difficult to execute. The vulnerability has been publicly disclosed, but the project has not yet responded to the issue.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow an attacker to perform unsafe deserialization remotely, potentially leading to unauthorized code execution or other malicious actions within the affected system. However, due to the high complexity and difficulty of the attack, the risk is somewhat mitigated. The vulnerability could compromise the confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the use of Pickle decoding in Tiny RDM when viewing Redis keys. Specifically, detection involves checking if the user has enabled Pickle decoding in the value viewer, which triggers unsafe deserialization via `pickle.loads`. Since the exploit executes arbitrary code on the Tiny RDM host, one can look for suspicious files or commands executed, such as the creation of unexpected files like `/tmp/hacked-by-zznq`. There is no direct network signature since the attack is triggered locally when viewing malicious Redis keys. Suggested detection commands include monitoring for unexpected file creations or processes spawned by Tiny RDM, for example: `ls -l /tmp/hacked-by-zznq` to check for proof-of-concept artifacts, or using system process monitoring tools to detect unusual child processes spawned by Tiny RDM. Additionally, auditing Redis keys for suspicious pickle payloads may help, but no specific commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling Pickle decoding entirely in Tiny RDM or requiring explicit user opt-in with clear warnings before enabling it. If Pickle decoding must be used, it should be run inside a sandboxed environment such as a container or using seccomp to isolate the deserialization process. Additionally, replacing the direct use of `pickle.loads` with a restricted, schema-validated parser is recommended to prevent arbitrary code execution. Since the Tiny RDM project has not provided official patches or countermeasures, considering alternative products is also advised. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows remote code execution through insecure deserialization, it potentially compromises confidentiality, integrity, and availability of data, which could lead to non-compliance with data protection regulations if sensitive data is exposed or manipulated. No direct statements about compliance impact or regulatory considerations are given. [1, 2, 3]