The PyPI-distributed version of PLY (Python Lex-Yacc) 3.11 has been found to have a critical vulnerability that permits arbitrary code execution through unsafe deserialization of untrusted pickle files This article explores yacc picklefile exploit. . The vulnerability, designated CVE-2025-56005, affects the yacc() function's undocumented picklefile parameter, which is present in the production release but is not included in official documentation.

The yacc(picklefile=...) parameter, which invokes pickle.load() on attacker-controlled files without validation, is the source of the vulnerability. Through the __reduce__() method, Python's pickle module allows arbitrary code execution during deserialization, allowing malicious payloads to run system commands prior to parser initialization. Because the code execution occurs silently during application startup, before any parsing logic is reached, this offers a distinct risk profile.

The vulnerability is especially risky in settings where parser tables are generated in CI/CD pipelines, shared across services, or cached on disk. When an attacker can alter, replace, or control the pickle file path, such as: Description of the Area or Component Locations of cached parser tables Places where local parser tables are kept Network directories that are shared Shared folders that are accessible over a network Pipeline artifacts for CI/CD Create and distribute output files File paths that are writable or configurable Writable paths defined by the application A malicious pickle payload that runs system commands during deserialization can be used to illustrate the vulnerability. Arbitrary code execution is ensured prior to the parser becoming functional when yacc(picklefile='exploit.pkl') loads a crafted pickle file containing serialized objects with embedded __reduce__() methods.

The advisory states that companies should put the following mitigations into place right away: Picklefile should not be used with externally writable or untrusted files. Turn off the loading of parser tables from user-specified locations. Every pickle file should be regarded as potentially dangerous input.

Instead of loading from disk, dynamically regenerate parser tables. Applications using PLY 3.11 should be updated by developers, and configurations should be audited for possible exposure via the undocumented parameter. X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.