Critical RCE Vulnerability in Python PLY via Unsafe Pickle Deserialization (CVE-2025-56005)
February 3rd, 2026
Critical
Our Cyber Threat Intelligence Unit is monitoring a critical remote code execution (RCE) vulnerability, CVE-2025-56005, affecting Python PLY (Python Lex-Yacc) version 3.11. PLY is a widely used parsing framework found in open-source projects, developer tools, automation platforms, and backend services. This vulnerability arises from unsafe deserialization of parser table files when an undocumented picklefile parameter is enabled during PLY parser initialization. Under this configuration, PLY relies on Python’s pickle.load() function to load parser tables without enforcing validation or integrity checks. If an attacker can influence the pickle file being loaded, this behavior may lead to arbitrary code execution. Since PLY is often used indirectly through other frameworks and is common in build and CI/CD pipelines, many environments may be exposed without their knowledge. Exploitation could lead to full application compromise, data exposure, and downstream supply-chain risk.
Technical Details
CVE ID: CVE-2025-56005
Vulnerability Type: Remote Code Execution (RCE)
Severity: Critical (CVSS: 9.8)
Affected Component: Python PLY (Python Lex-Yacc) version 3.11
Root Cause:
PLY’s yacc() function supports an undocumented picklefile parameter.
When enabled, PLY loads parser tables from a .pkl file using pickle.load().
Python pickle deserialization is inherently unsafe and can execute attacker-supplied code during object reconstruction.
No validation, sanitization, or integrity verification is performed on the pickle file prior to loading.
Attack Vector:
Application-level exploitation via unsafe deserialization.
Exploitation occurs when an attacker can control, replace, or poison the pickle file referenced by picklefile.
Authentication is not required if the attacker can influence the file path or contents:
e.g., writable directories, shared build artifacts, compromised CI/CD workflows.
Attack Conditions:
The application uses yacc(picklefile=...) directly or through a dependent component.
The .pkl file is stored in an insecure or attacker-modifiable location.
The vulnerable application loads the pickle file during parser initialization.
Exploitation Status:
Public proof-of-concept (PoC) exploit code is available and shows reliable RCE via malicious pickle payloads.
No confirmed widespread in-the-wild exploitation has been observed at this time.
This is a critical security risk for organizations due to its ease of exploitation and the prevalence of common insecure deserialization patterns in real-world environments.
Impact
Successful exploitation of CVE-2025-56005 may result in:
Remote Code Execution: Arbitrary Python code execution with application-level privileges.
Application Takeover: Compromise of backend services, developer tools, and automation platforms leveraging PLY.
Data Exposure and Manipulation: Unauthorized access to sensitive data, credentials, configuration files, and source code.
Lateral Movement: Attackers may pivot from compromised services to additional systems.
Supply-Chain Risk: Poisoned parser artifacts or build outputs may propagate compromise across dependent systems.
The ability to execute code during parser initialization significantly increases the operational and security impact of this vulnerability.
Detection Method
Defenders should consider the following detection and validation measures:
Application Log Monitoring: Review logs for abnormal behavior during PLY (lex / yacc) parser initialization.
Behavioral Monitoring: Detect anomalous Python process activity, including unexpected subprocess creation or command execution.
File Integrity Monitoring: Monitor .pkl files associated with parser tables for unauthorized modification.
Runtime Security Controls: Use EDR or RASP solutions to detect unsafe deserialization patterns and execution flows involving pickle.load().
Dependency Analysis: Leverage software composition analysis (SCA) tools to identify PLY usage across applications, development environments, and CI/CD pipelines.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediate Actions:
Identify all applications and workflows that use Python PLY, with a specific focus on the use of yacc(picklefile=...).
Avoid or remove the picklefile parameter unless the pickle file is strictly trusted and protected.
Mitigation Measures:
Store parser table files in non-writable, non-shared directories.
Protect build artifacts and parser files within CI/CD pipelines to prevent artifact poisoning.
Enforce least-privilege execution for Python services using PLY.
Restrict file system permissions to prevent unauthorized modification of .pkl files.
Hardening and Monitoring:
Treat all pickle deserialization operations as high-risk behavior.
Enable enhanced logging around parser initialization and file loading.
Monitor for unexpected outbound connections or process spawning from Python services.
Note: At this time, no confirmed patched release has been documented. Organizations should closely monitor upstream maintainers for official remediation guidance.
Conclusion
CVE-2025-56005 is a critical security vulnerability in Python PLY version 3.11, caused by unsafe pickle deserialization during parser initialization. This vulnerability allows arbitrary code execution when attacker-controlled pickle files are loaded, posing significant risks to backend services, development environments, and software supply chains. Although widespread exploitation has not yet been observed, the availability of public proof-of-concept code and the prevalence of insecure deserialization patterns significantly increase the likelihood of abuse. We urge organizations to promptly assess their exposure, eliminate unsafe configurations, and harden affected environments to mitigate associated risks and potential compromise.