A critical vulnerability has been identified in the PyPI-distributed version of PLY (Python Lex-Yacc) 3.11, allowing arbitrary code execution through unsafe deserialization of untrusted pickle files.
The vulnerability, assigned CVE-2025-56005, affects the undocumented picklefile parameter in the yacc() function, which remains absent from official documentation despite being present in the production release.
The vulnerability stems from the yacc(picklefile=…) parameter invoking pickle.load() on attacker-controlled files without validation.
Python’s pickle module inherently supports arbitrary code execution during deserialization through the __reduce__() method, enabling malicious payloads to execute system commands before parser initialization occurs.
This presents a unique risk profile because the code execution happens silently during application startup, before any parsing logic is reached.
The vulnerability is particularly dangerous in environments where parser tables are cached on disk, shared between services, or generated in CI/CD pipelines.
Exploitation becomes possible when attackers can control, replace, or influence the pickle file path, such as:
| Area / Component | Description |
|---|---|
| Cached parser table locations | Locations where parser tables are stored locally |
| Shared network directories | Network-accessible shared folders |
| CI/CD pipeline artifacts | Build and deployment output files |
| Configurable or writable file paths | Application-defined writable paths |
The vulnerability can be demonstrated through a malicious pickle payload that executes system commands during deserialization.
When yacc(picklefile=’exploit.pkl’) loads a crafted pickle file containing serialized objects with embedded __reduce__() methods, arbitrary code execution is guaranteed before the parser becomes operational.
According to the advisory, organizations should immediately implement the following mitigations:
Avoid using the picklefile parameter with untrusted or externally writable files. Disable loading parser tables from user-controlled locations.
Treat all pickle files as potentially unsafe input. Regenerate parser tables dynamically rather than loading from disk.
Developers should update applications that use PLY 3.11 and audit configurations for potential exposure through the undocumented parameter.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
