HIGH 8.0

PYSEC-2025-68

Details

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / upsonic

Introduced in: 0 Fixed in: 0.56.0

Fix pip install --upgrade 'upsonic>=0.56.0'

References

https://vuldb.com/?ctiid.313283 [ADVISORY]
https://vuldb.com/?id.313283 [ADVISORY]
https://vuldb.com/?submit.593099 [ADVISORY]
https://github.com/Upsonic/Upsonic/issues/353 [EVIDENCE]
https://github.com/Upsonic/Upsonic/issues/353 [REPORT]
https://vuldb.com/?ctiid.313283 [WEB]
https://vuldb.com/?id.313283 [WEB]
https://vuldb.com/?submit.593099 [WEB]
https://github.com/advisories/GHSA-rpfv-46xj-5984 [ADVISORY]