SYM_PY_0040 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Using Connection.recv() in Python's multiprocessing module can be unsafe because it automatically unpickles received data. If data comes from an untrusted source, this could allow execution of malicious code.
Impact
An attacker who can send data to the process could exploit this to execute arbitrary code within your application, potentially leading to data theft, corruption, or full system compromise.