CVE-2025-56005

Name: CVE-2025-56005
Creator: NVD / NIST
Published: 2026-01-20T19:15:49.247+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 18.65%

Last modified Jun 17, 2026

CVE-2025-56005 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. EPSS estimates a 18.65% chance of exploitation in the next 30 days.

Description

An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

18.65%

96.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-502

Affected Software

Vendor	Product	Versions
Dabeaz	Ply	3.11

References

https://github.com/bohmiiidd/Undocumented-RCE-in-PLYExploit, Third Party Advisory
https://github.com/bohmiiidd/Undocumument_RCE_PLY-yacc-CVE-2025-56005Exploit, Third Party Advisory
https://github.com/tom025/ply_exploit_rejectionExploit, Mitigation, Third Party Advisory
https://github.com/tom025/ply_exploit_rejection/issues/1
http://www.openwall.com/lists/oss-security/2026/01/23/4Exploit, Mailing List
http://www.openwall.com/lists/oss-security/2026/01/23/5Mailing List
http://www.openwall.com/lists/oss-security/2026/01/28/5Exploit, Mailing List
http://www.openwall.com/lists/oss-security/2026/01/29/1Exploit, Mailing List
http://www.openwall.com/lists/oss-security/2026/01/29/2Mailing List
http://www.openwall.com/lists/oss-security/2026/01/30/1

Timeline

Published: Jan 20, 2026
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2025-56005?

How severe is CVE-2025-56005?

CVE-2025-56005 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 18.65% probability of exploitation in the next 30 days.

How do I fix CVE-2025-56005?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-56005?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST