CVE-2022-35411

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35411

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35411.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-35411

Aliases

GHSA-8rq8-f485-7v8x

Published

2022-07-08T19:15:08.700Z

Modified

2025-11-14T13:25:14.039393Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

References

Affected packages

Git / github.com/abersheeran/rpc.py

Affected ranges

Type: GIT
Repo: https://github.com/abersheeran/rpc.py
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

491e7a841ed9a754796d6ab047a9fb16e23bf8bd

Affected versions

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.1

v0.6.0