CVE-2025-14606
Unknown Unknown - Not Provided
Remote Deserialization Vulnerability in tiny-rdm Pickle Decoding

Publication date: 2025-12-13

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14606
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tiny-rdm tiny_rdm 1.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the tiny-rdm Tiny RDM software up to version 1.2.5, specifically in the pickle.loads function within the pickle_convert.go file. It involves manipulation that leads to unsafe deserialization, which can be exploited remotely. The attack requires a high degree of complexity and is considered difficult to execute. The vulnerability has been publicly disclosed, but the project has not yet responded to the issue.

Impact Analysis

Exploitation of this vulnerability could allow an attacker to perform unsafe deserialization remotely, potentially leading to unauthorized code execution or other malicious actions within the affected system. However, due to the high complexity and difficulty of the attack, the risk is somewhat mitigated. The vulnerability could compromise the confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability can be detected by monitoring for the use of Pickle decoding in Tiny RDM when viewing Redis keys. Specifically, detection involves checking if the user has enabled Pickle decoding in the value viewer, which triggers unsafe deserialization via `pickle.loads`. Since the exploit executes arbitrary code on the Tiny RDM host, one can look for suspicious files or commands executed, such as the creation of unexpected files like `/tmp/hacked-by-zznq`. There is no direct network signature since the attack is triggered locally when viewing malicious Redis keys. Suggested detection commands include monitoring for unexpected file creations or processes spawned by Tiny RDM, for example: `ls -l /tmp/hacked-by-zznq` to check for proof-of-concept artifacts, or using system process monitoring tools to detect unusual child processes spawned by Tiny RDM. Additionally, auditing Redis keys for suspicious pickle payloads may help, but no specific commands are provided in the resources. [2, 3]

Mitigation Strategies

Immediate mitigation steps include disabling Pickle decoding entirely in Tiny RDM or requiring explicit user opt-in with clear warnings before enabling it. If Pickle decoding must be used, it should be run inside a sandboxed environment such as a container or using seccomp to isolate the deserialization process. Additionally, replacing the direct use of `pickle.loads` with a restricted, schema-validated parser is recommended to prevent arbitrary code execution. Since the Tiny RDM project has not provided official patches or countermeasures, considering alternative products is also advised. [1, 2, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows remote code execution through insecure deserialization, it potentially compromises confidentiality, integrity, and availability of data, which could lead to non-compliance with data protection regulations if sensitive data is exposed or manipulated. No direct statements about compliance impact or regulatory considerations are given. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart