CVE-2022-35411: Deserialization of Untrusted Data

July 8, 2022 (updated February 9, 2024)

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the “serializer: pickle” HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

References

github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd
github.com/ehtec/rpcpy-exploit
medium.com/@elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30
nvd.nist.gov/vuln/detail/CVE-2022-35411

Code Behaviors & Features

Detect and mitigate CVE-2022-35411 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →