7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-12760

GHSA ID

GHSA-22mf-97vh-x8rw

EPSS Score

0.70295%

CWE

CWE-502

Published

6/13/2019

Updated

10/9/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-12760

CVE-2019-12760: Deserialization vulnerability exists in parso

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration."

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-12760

GHSA ID

GHSA-22mf-97vh-x8rw

EPSS Score

0.70295%

CWE

CWE-502

Published

6/13/2019

Updated

10/9/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parso	pip	<= 0.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from parso's cache mechanism using pickle to load grammar files. The Grammar.parse() method enables cache loading, while _load_from_cache_specific in cache.py directly deserializes untrusted data via pickle.load(). The PoC demonstrates exploitation by writing malicious pickles to the cache path and triggering parsing. These functions are explicitly involved in the insecure deserialization chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

** *ISPUT** ** * **s*ri*liz*tion vuln*r**ility *xists in t** w*y p*rso t*rou** *.*.* **n*l*s *r*mm*r p*rsin* *rom t** *****. ***** lo**in* r*li*s on pi*kl* *n*, provi*** t**t *n *vil pi*kl* **n ** writt*n to * ***** *r*mm*r *il* *n* t**t its p*rsin*

Reasoning

T** vuln*r**ility st*ms *rom p*rso's ***** m****nism usin* pi*kl* to lo** *r*mm*r *il*s. T** *r*mm*r.p*rs*() m*t*o* *n**l*s ***** lo**in*, w*il* _lo**_*rom_*****_sp**i*i* in *****.py *ir**tly **s*ri*liz*s untrust** **t* vi* pi*kl*.lo**(). T** Po* **m

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-12760: Deserialization vulnerability exists in parso

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI