Unauthenticated Remote Code Execution vulnerability
ehtec opened this issue · comments
Unfortunately, I have not received any replies from the maintainer within a time frame of two weeks, so I am disclosing this vulnerability that is still existent in the latest version, with no patch available:
https://medium.com/@elias.hohl/remote-code-execution-0-day-in-rpc-py-709c76690c30
By design, rpc.py is not designed for an API that is open to the outside world. In actual use, no external requests can reach the rpc.py service, so I don't think this vulnerability will have a big impact, but still thank you for your feedback. I have turned off this serialization in the latest commit.
In older versions, just use the following code to turn off pickle
del SERIALIZER_NAMES[PickleSerializer.name]
del SERIALIZER_TYPES[PickleSerializer.content_type]