Python PLY 3.11 PyPI Release Flaw Enabled RCE via Unsafe Pickle Deserialization (CVE-2025-56005)

What happened

The Python parsing library PLY (Python Lex-Yacc) version 3.11 distributed via PyPI was reported to contain a critical issue enabling arbitrary code execution through unsafe deserialization. The vulnerability, assigned CVE-2025-56005, was tied to an undocumented picklefile parameter in the yacc() function. When this parameter is used, the library invokes pickle.load() on a specified file without validating whether the pickle content is trusted, allowing attacker-controlled pickle payloads to execute code during deserialization. The issue was described as affecting the PyPI-distributed package behavior and noted that the picklefile parameter was not present in official documentation despite existing in the production release. A proof-of-concept was referenced as published, demonstrating practical exploitation where untrusted pickle inputs are processed.

Who is affected

Organizations and developers using PLY 3.11 (PyPI-distributed) in workflows that load or accept untrusted pickle files are directly affected. Exposure is direct when attacker-controlled inputs can influence the picklefile path or contents, and potential where build or CI pipelines ingest untrusted artifacts.

Why CISOs should care

Unsafe deserialization in widely used developer libraries can become a software supply chain risk, especially when build systems, parsers, or automation pipelines process external inputs. RCE via pickle deserialization can enable rapid compromise of developer workstations, CI runners, or production services that integrate parsing components.

3 practical actions

• Stop deserializing untrusted pickle data: Remove or restrict usage paths that rely on pickle.load() for externally influenced inputs within PLY workflows.

• Pin and review dependency usage: Audit where PLY is used and ensure dependency versions and runtime configurations cannot be manipulated through user-controlled files.

• Protect CI and build environments: Isolate build runners, restrict artifact ingestion sources, and monitor for unexpected code execution during parsing or build steps.