CVE-2025-56005
Public on 2026-01-20
Modified on 2026-01-21
Description
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Firefox Extra | firefox | Not Affected | ||
| Amazon Linux 2023 | firefox | Not Affected | ||
| Amazon Linux 2 - Core | gjs | Not Affected | ||
| Amazon Linux 2023 | gjs | Not Affected | ||
| Amazon Linux 2 - Core | policycoreutils | Pending Fix | ||
| Amazon Linux 2023 | policycoreutils | Pending Fix | ||
| Amazon Linux 2 - Core | polkit | Not Affected | ||
| Amazon Linux 2023 | polkit | Not Affected | ||
| Amazon Linux 2 - Core | python-ply | Pending Fix | ||
| Amazon Linux 2023 | python-ply | Pending Fix | ||
| Amazon Linux 2 - Core | rust | Not Affected | ||
| Amazon Linux 2023 | rust | Not Affected | ||
| Amazon Linux 2 - Core | wireshark | Not Affected | ||
| Amazon Linux 2023 | wireshark | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.3 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |