CVE-2022-35411 Overview
CVE-2022-35411 is a critical insecure deserialization vulnerability in rpc.py through version 0.6.0 that enables unauthenticated Remote Code Execution (RCE). The vulnerability occurs because the library performs an unsafe unpickle operation when an attacker sends a request with the serializer: pickle HTTP header. Although JSON is the default data serialization format, any unauthenticated client can force the server to process data using Python's dangerous pickle deserialization, leading to arbitrary code execution on the target system.
Critical Impact
Unauthenticated attackers can achieve full system compromise by sending malicious serialized Python objects via HTTP requests, requiring no user interaction or privileges.
Affected Products
- rpc.py versions through 0.6.0
- Applications using rpc.py with default configurations
- Any service exposing rpc.py endpoints to untrusted networks
Discovery Timeline
- 2022-07-08 - CVE-2022-35411 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-35411
Vulnerability Analysis
This vulnerability exploits Python's inherently dangerous pickle deserialization mechanism. Python's pickle module can serialize and deserialize arbitrary Python objects, including those containing executable code. When deserialization (unpickling) occurs on untrusted data, an attacker can craft a malicious payload that executes arbitrary code during the deserialization process.
In rpc.py, the PickleSerializer class was registered by default in both SERIALIZER_NAMES and SERIALIZER_TYPES dictionaries within rpcpy/serializers.py. This allowed any client to override the default JSON serializer by simply including the appropriate HTTP header in their request, forcing the server to deserialize incoming data using pickle instead of the safer JSON format.
The vulnerability is particularly severe because it requires no authentication, can be exploited remotely over the network, and provides full code execution capabilities on the target system.
Root Cause
The root cause is the unconditional registration of the PickleSerializer in the default serializer mappings. The SERIALIZER_NAMES and SERIALIZER_TYPES dictionaries included pickle as an available serialization option without any access controls or warnings. This design flaw allowed unauthenticated remote users to select the dangerous pickle serializer through HTTP header manipulation, bypassing the intended JSON-only serialization.
Attack Vector
The attack vector involves sending a crafted HTTP request to an rpc.py endpoint with the serializer: pickle header (or equivalent Content-Type header). The request body contains a malicious pickled Python object that, when deserialized by the server, executes arbitrary code. The attacker crafts a payload using Python's pickle module with a custom __reduce__ method that returns a callable (such as os.system) along with attacker-controlled arguments.
return cbor.loads(data)
+# Since the release of pickle to the external network may lead to
+# arbitrary code execution vulnerabilities, this serialization
+# method is not enabled by default. It is recommended to turn it on
+# when there is physical isolation from the outside.
+
SERIALIZER_NAMES = {
JSONSerializer.name: JSONSerializer(),
- PickleSerializer.name: PickleSerializer(),
+ # PickleSerializer.name: PickleSerializer(),
MsgpackSerializer.name: MsgpackSerializer(),
CBORSerializer.name: CBORSerializer(),
}
SERIALIZER_TYPES = {
JSONSerializer.content_type: JSONSerializer(),
- PickleSerializer.content_type: PickleSerializer(),
+ # PickleSerializer.content_type: PickleSerializer(),
MsgpackSerializer.content_type: MsgpackSerializer(),
CBORSerializer.content_type: CBORSerializer(),
}
Source: GitHub Commit for rpc.py - Security patch that disables PickleSerializer by default
Detection Methods for CVE-2022-35411
Indicators of Compromise
- HTTP requests to rpc.py endpoints containing serializer: pickle header
- Requests with Content-Type: application/x-pickle or similar pickle-related content types
- Unusual process spawning from Python processes serving rpc.py applications
- Unexpected outbound network connections from application servers
Detection Strategies
- Implement WAF rules to block HTTP requests containing pickle-related serializer headers
- Monitor application logs for requests attempting to use non-JSON serialization formats
- Deploy network intrusion detection signatures for pickle deserialization attack patterns
- Use runtime application self-protection (RASP) to detect and block unsafe deserialization attempts
Monitoring Recommendations
- Alert on any HTTP traffic with serializer: pickle header values targeting rpc.py services
- Monitor for unusual process execution chains originating from Python web application processes
- Implement file integrity monitoring on systems running rpc.py applications
- Track and alert on any modifications to serializer configuration in deployed applications
How to Mitigate CVE-2022-35411
Immediate Actions Required
- Upgrade rpc.py to a patched version that disables PickleSerializer by default
- Audit all deployments using rpc.py to identify exposed instances
- Implement network segmentation to restrict access to rpc.py services from untrusted networks
- Deploy WAF rules to block requests with pickle serialization headers as an interim measure
Patch Information
The vulnerability has been addressed in commit 491e7a841ed9a754796d6ab047a9fb16e23bf8bd. The fix comments out the PickleSerializer registration in both SERIALIZER_NAMES and SERIALIZER_TYPES dictionaries within rpcpy/serializers.py. The patch also includes a warning comment explaining that pickle serialization should only be enabled in physically isolated network environments due to the arbitrary code execution risk. Apply the patch by updating to the latest version of rpc.py from the official repository. For more details, see the GitHub Commit for rpc.py.
Workarounds
- Manually edit rpcpy/serializers.py to comment out or remove PickleSerializer from SERIALIZER_NAMES and SERIALIZER_TYPES
- Deploy a reverse proxy that strips or rejects requests with pickle-related serializer headers
- Restrict network access to rpc.py endpoints to trusted internal networks only
- Implement application-level validation to reject non-JSON serialization requests before they reach rpc.py
# Configuration example: Block pickle serializer at nginx reverse proxy level
# Add to nginx server or location block
if ($http_serializer ~* "pickle") {
return 403;
}
# Or block by Content-Type header
if ($content_type ~* "pickle") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
