Security ⚑ Critical severity

Unsafe Deserialization

pickle/yaml.unsafe_load/vm.runInContext with attacker-controlled data leads to RCE.

📖 What is this?

Python’s `pickle`, `yaml.unsafe_load`, and Node.js `vm.runInNewContext` with serialized data can invoke arbitrary code during deserialization. Even JSON-based formats like `jsonpickle` can reconstruct Python objects with side effects. An attacker who can plant malicious serialized data (cached sessions, message queues, inter-service communication) achieves RCE.

🔴 Vulnerable Code

❌ Vulnerable

# VULNERABLE — pickle deserializes untrusted data
import pickle, os
data = request.form['payload']  # attacker-controlled
obj = pickle.loads(data)  # RCE: __reduce__ can call os.system()

🟢 Fixed Code

✓ Fixed

# FIXED — never deserialize untrusted data with pickle
import json
data = request.form['payload']
# Use JSON with strict schema validation
obj = json.loads(data)
# For YAML: use yaml.safe_load (not yaml.unsafe_load)
# For jsonpickle: use a safe_unpickler that disallows import of dangerous classes

⚡ Real-World Incident

🔗

CVE / Real Incident

CVE-2025-55182 (React2Shell RCE), CVE-2023-37466 (vm2 sandbox escape CVSS 9.8)

CVE-2024-40711 (Python pickle deserialization RCE), CVE-2025-55182 / React2Shell (React Server Components unsafe deserialization via RSC payload, RCE), CVE-2023-37466 (vm2 sandbox escape, CVSS 9.8), CVE-2026-43999 (vm2 sandbox bypass loading child_process, CVSS 9.9).

🔍 How PullLight Catches It

PullLight flags `pickle.loads`, `yaml.unsafe_load`, `yaml.load` (without Loader), `marshal.loads`, `vm.runInContext` calls where data originates from user input. It detects `jsonpickle.decode` and similar unsafe deserialization patterns, and flags when serialized data crosses trust boundaries (IPC, queue, HTTP headers).

See it in action — paste a diff into /analyze

Try a vulnerable example: pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)

Analyze a diff →

🔗 Related Patterns

📚 More Patterns