Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 1/23/26 11:06, Alan Coopersmith wrote:
> https://github.com/bohmiiidd/Undocumented-RCE-in-PLY claims:
>
> > Undocumented Remote Code Execution in PLY CVE-2025-56005
> > --------------------------------------------------------

https://www.cve.org/CVERecord?id=CVE-2025-56005 has added to the references
a link to https://github.com/tom025/ply_exploit_rejection which argues that
this CVE should be rejected because:

> ## Argument 1: The Proof of Concept does not complete sucessfully ##
>
> In this project the code from the proof of concept has been copied to main.py.
>
> ### Run the proof of concept ###
>
> To run the exploit ensure that you have installed uv.
>
> Run
>
>     uv sync
>
> this will install `ply==3.11` as a project dependency.
>
> Run
>
>     uv run main.py
>
> This will run the proof of concept. This results in the program exiting early
> with a `AttributeError: 'function' object has no attribute 'input'`.
>
> The text `VULNERABLE` is not in the file `/tmp/pwned`. This is not a working
> example of the alleged vulnerability.
>
> ## Argument 2: The proof of concept does not demonstrate Arbitrary Code Execution
> as claimed ##
>
> Referring to the proof of concept code this does not demonstrate Arbitrary Code
> Execution as there is a single program running and no untrusted data has been
> passed between processes. This is not a demonstration of CWE-502 as claimed.

See the github repo for the code project in question.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris