Possible Security Vulnerability in PLY library (a dependency of this library) #1
Description
Supporting Data:
•
- Tool Source: Mend
- File Path: /tmp/ws-scm/requirements.txt
- Line Number: N/A
- Image Name: N/A
Description : An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the "picklefile" parameter in the "yacc()" function. This parameter accepts a ".pkl" file that is deserialized with "pickle.load()" without validation. Because "pickle" allows execution of embedded code via "reduce()", an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
Library Name : ply
Library Filename : ply-3.11-py2.py3-none-any.whl
Library Description : Python Lex & Yacc
Library Type : PYTHON_PACKAGE
Library KeyUUID : 4a73aeab-0d41-4d77-b6d0-ac91a0a5ae55
CVSS v3 score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
I'm sorry I can't come to you with a suggested fix at this time but hoping you might be able to find a way to move away from ply library. A quick analysis of the dependency tree shows:
robotframework-jsonlib
> jsonpath-ng
> ply