9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47248

GHSA ID

GHSA-5wvp-7f3h-6wmm

EPSS Score

0.994%

CWE

CWE-502

Published

11/9/2023

Updated

10/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-47248

CVE-2023-47248:
PyArrow: Arbitrary code execution when loading a malicious data file

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).

This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.

It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.

If it is not possible to upgrade, maintainers provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47248

GHSA ID

GHSA-5wvp-7f3h-6wmm

EPSS Score

0.994%

CWE

CWE-502

Published

11/9/2023

Updated

10/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyarrow	pip	>= 0.14.0, < 14.0.1	14.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from PyArrow's PyExtensionType using pickle-based deserialization without proper safeguards. The commit f141709 explicitly disables PyExtensionType autoloading by default and deprecates it, replacing it with safer ExtensionType handling. The arrow_ext_deserialize method in PyExtensionType was directly responsible for unpickling untrusted data, while set_auto_load governed the dangerous default behavior. These functions are clearly implicated in the CWE-502 deserialization vulnerability as they allowed execution of arbitrary code via malicious payloads in Arrow/IPC/Parquet files.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ri*liz*tion o* untrust** **t* in IP* *n* P*rqu*t r****rs in Py*rrow v*rsions *.**.* to **.*.* *llows *r*itr*ry *o** *x**ution. *n *ppli**tion is vuln*r**l* i* it r***s *rrow IP*, ***t**r or P*rqu*t **t* *rom untrust** sour**s (*or *x*mpl* us*r-su

Reasoning

T** vuln*r**ility st*ms *rom Py*rrow's Py*xt*nsionTyp* usin* pi*kl*-**s** **s*ri*liz*tion wit*out prop*r s****u*r*s. T** *ommit ******* *xpli*itly *is**l*s Py*xt*nsionTyp* *utolo**in* *y ****ult *n* **pr***t*s it, r*pl**in* it wit* s***r *xt*nsionTyp

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-47248: PyArrow: Arbitrary code execution when loading a malicious data file

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-47248:
PyArrow: Arbitrary code execution when loading a malicious data file

Vulnerability Intelligence
Miggo AI