CVE-2025-56005
Publication date 20 January 2026
Last updated 2 April 2026
Ubuntu priority
Description
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ply | 25.10 questing | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored |
Notes
mdeslaur
This is only an issue if an application is using the "picklefile" parameter, which is undocumented, in combination with untrusted pickle files. This is unlikely. There does not appear to be any applications in the Ubuntu archive using this parameter. Assigning this CVE to the ply library is probably not the right approach, applications that send untrusted pickles to this library should be assigned CVEs instead. ply is no longer being actively developed, so no fix will be available from the upstream developers. We will not be fixing this issue in Ubuntu. Marking as ignored.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |