CVE-2025-62703
中文标题:
(暂无数据)
英文标题:
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
漏洞描述
中文描述:
(暂无数据)
英文描述:
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| fugue-project | fugue | <= 0.9.2 | - | - |
cpe:2.3:a:fugue-project:fugue:<=_0.9.2:*:*:*:*:*:*:*
|
| fugue-project | fugue | * | - | - |
cpe:2.3:a:fugue-project:fugue:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-62703 |
2025-11-27 03:28:08 | 2026-01-12 02:12:13 |
| NVD | nvd_CVE-2025-62703 |
2025-12-31 03:17:09 | 2026-01-12 02:27:57 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']