Key Findings

• A critical vulnerability (CVE-2025-56005) with a CVSS score of 9.8 has been discovered in the PLY (Python Lex-Yacc) library, a popular parsing library used in the Python community.

• The vulnerability allows Remote Code Execution (RCE) and stems from an undocumented "picklefile" parameter in the `yacc()` function.

• The issue is caused by the unsafe deserialization of untrusted data using Python's `pickle.load()` method.

• The project's maintainer, David Beazley, has announced the abandonment of the PLY project, leaving no official patch for this vulnerability.

Background

PLY (Python Lex-Yacc) is a zero-dependency implementation of the traditional parsing tools lex and yacc, widely used for parsing complex languages in the Python ecosystem. The library has been serving the Python community for over 25 years.

Vulnerability Details

• The vulnerability lies in the `yacc()` function, which contains an undocumented parameter named "picklefile".

• This parameter is not documented in the official PLY documentation or GitHub repository, yet it is present in the PyPI release.

• The "picklefile" parameter was likely intended for caching or state saving, but its implementation is fundamentally unsafe.

• When invoked, the "picklefile" parameter forces PLY to deserialize a file using Python's standard `pickle.load()` method without any validation.

• In the Python world, the `pickle` module is notoriously dangerous when accepting untrusted data, as it supports the execution of arbitrary code during deserialization (e.g., via `__reduce__()` method).

• An attacker who can control the supplied pickle file can execute arbitrary code during parser initialization, leading to Remote Code Execution (RCE) on the target system.

Impact and Mitigation

• The vulnerability carries a maximum-severity CVSS score of 9.8, indicating the critical nature of the flaw.

• With the project's maintainer abandoning the PLY project, there is no official patch or fix expected for this vulnerability.

• Developers still relying on the PLY library should avoid using the undocumented "picklefile" parameter and ensure that user input cannot influence the arguments passed to the `yacc()` function.

• Security teams should audit their codebases to identify any usage of the PLY library and take appropriate mitigation measures to prevent potential exploitation of this vulnerability.

Conclusion

The discovery of a critical RCE vulnerability in the abandoned PLY library highlights the risks associated with using legacy, unmaintained software components. Developers and security teams should be vigilant in identifying and addressing such vulnerabilities, especially in mission-critical applications. The lack of an official patch emphasizes the importance of proactive security measures and the need to migrate to more secure, actively maintained alternatives when possible.

Sources

• https://securityonline.info/ghost-in-the-code-critical-rce-found-in-abandoned-python-ply-library-cvss-9-8/

• https://x.com/the_yellow_fall/status/2015601844618227886