CVE-2025-56005

DOCUMENTATION: An arbitrary code execution vulnerability was discovered in PLY (Python Lex-Yacc). When an application uses PLY's undocumented picklefile parameter to load cached parser data, the library deserializes the pickle file without validation. If an attacker can supply or modify the pickle file being loaded, they can embed malicious code that executes automatically during the deserialization process, potentially allowing them to run arbitrary commands on the affected system. 

            STATEMENT: This vulnerability rates as Important rather than Critical because it only affects applications using an undocumented parameter (picklefile) in legacy PLY versions 3.2-3.11, which was designed for an atypical use case (Jython environments with oversized parser tables). Exploitation requires the target application to have explicitly implemented this undocumented parameter in their code and depends on the attacker's ability to influence which pickle file gets loaded—whether through shared directory race conditions, configuration injection, supply chain compromise, or chaining with separate vulnerabilities like file upload or path traversal—making this a conditional, context-dependent vulnerability rather than a universally exploitable critical flaw.