The Python PLY (Python Lex-Yacc) library has been found to have a serious security flaw that permits remote code execution (RCE) via an undocumented feature in PyPI-distributed version 3.11 This article explores yacc picklefile exploit. . Ahmed Abd, a security researcher, reported the vulnerability on July 1, 2025, and it is tracked as CVE-2025-56005.

Technical Overview of CVE-2025-56005 Field Information Vulnerability Type Arbitrary Code Execution (RCE) CVE ID CVE-2025-56005 CWE CWE-502-Deserialization of Untrusted Data An undocumented picklefile parameter in ply.yacc.yacc() is the source of the vulnerability. When this parameter is used, pickle.load() in Python loads parser tables from a.pkl file without any validation.

An attacker who can control or influence the.pkl file passed to yacc (picklefile=...) can execute arbitrary code on the system during parser initialization—before any actual parsing logic runs—because Python's pickle module can execute arbitrary code during deserialization (for instance, via __reduce__()). Interestingly, this parameter is active in the PyPI release of PLY 3.11 but is not mentioned in the official PLY documentation or GitHub repository. The maintainer had not publicly acknowledged this behavior at the time of disclosure.

An attacker can accomplish the following if they are able to locate or alter the pickle file that yacc uses (picklefile=...): Execution of code arbitrarily execution when setting up a parser or launching an application Poisoned parser tables for covert persistence Environments with parser table files are more dangerous. stored in a disk cache kept in shared directories by services or users produced or utilized in pipelines for CI/CD loaded from writable or configurable paths In these configurations, a malicious attack could be introduced by an attacker who breaches a deployment pipe, a shared file system, or the build infrastructure.pkl file that, each time the parser is initialized, silently runs code. The published proof of concept creates a malicious pickle payload after defining a minimal lexer and parser.

During deserialization, a custom Exploit class uses __reduce__() to execute an operating system command (like making a /tmp/pwned file). Even before any input is parsed, the command yacc(picklefile='exploit.pkl',...) is run as soon as the parser tables are loaded.

Until a fixed release is made available, PLY users ought to: Picklefile should not be used, especially when dealing with writable or untrusted files. Even if pickle files seem to be internal cache files, treat them as untrusted input. Instead of loading parser tables from disk, prefer to regenerate them at startup.

Any parser table storage locations should have their file paths and permissions hardened. Companies should audit CI/CD and shared storage paths where.pkl parser tables may be located, check codebases for the use of yacc (picklefile=...), and keep an eye out for vendor updates regarding CVE-2025-56005.