CVE-2019-12760: Deserialization vulnerability exists in parso
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70295%
CWE
Published
6/13/2019
Updated
10/9/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
parso | pip | <= 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from parso's cache mechanism using pickle to load grammar files. The Grammar.parse() method enables cache loading, while _load_from_cache_specific in cache.py directly deserializes untrusted data via pickle.load(). The PoC demonstrates exploitation by writing malicious pickles to the cache path and triggering parsing. These functions are explicitly involved in the insecure deserialization chain.