Loading...
Loading...
Insecure deserialization allowing arbitrary code execution through crafted pickle payloads.
1import pickle2import base6434def load_user_preferences(encoded_data):5 # Deserialize user preferences from cookie6 data = base64.b64decode(encoded_data)7 preferences = pickle.loads(data)8 return preferences910@app.route('/preferences', methods=['POST'])11def update_preferences():12 prefs_cookie = request.cookies.get('preferences')13 if prefs_cookie:14 preferences = load_user_preferences(prefs_cookie)15 # Apply user preferences16 apply_theme(preferences.get('theme'))17 set_language(preferences.get('language'))18 return jsonify({'success': True})
Pickle can execute arbitrary Python code during deserialization via __reduce__ magic method. Never unpickle untrusted data. The secure version uses JSON which only handles data, not code, and validates the structure.
Craft pickle payload to execute system commands
class RCE:\n def __reduce__(self): return (os.system, ("cat /etc/passwd",))Arbitrary code execution on server