Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70560

CVE-2025-70560: Boltz 2.0.0 RCE Vulnerability

CVE-2025-70560 is a remote code execution vulnerability in Boltz 2.0.0 caused by insecure deserialization of pickle files. Attackers can execute arbitrary code by placing malicious files. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-70560 Overview

CVE-2025-70560 is an insecure deserialization vulnerability in Boltz 2.0.0, a Python-based application used for molecule loading functionality. The vulnerability exists because the application uses Python pickle to deserialize molecule data files without proper validation. An attacker who can place a malicious pickle file in a directory processed by Boltz can achieve arbitrary code execution when the file is loaded.

Critical Impact

Successful exploitation enables arbitrary code execution with the privileges of the application, potentially leading to complete system compromise, data exfiltration, or lateral movement within affected environments.

Affected Products

  • Boltz 2.0.0
  • Systems processing untrusted molecule data files with Boltz

Discovery Timeline

  • 2026-02-03 - CVE CVE-2025-70560 published to NVD
  • 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2025-70560

Vulnerability Analysis

This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-documented class of security flaws that occurs when applications deserialize data from untrusted sources without adequate safeguards. In the case of Boltz 2.0.0, the molecule loading functionality utilizes Python's native pickle module to deserialize molecule data files.

Python's pickle module is inherently unsafe for processing untrusted data because it can execute arbitrary Python code during the deserialization process. When a pickle file is loaded, the __reduce__ method of contained objects can be exploited to execute system commands, import modules, or perform other malicious operations. The vulnerability requires local access to place a malicious file in a directory that Boltz processes, but once triggered, it provides full code execution capabilities.

Root Cause

The root cause of this vulnerability is the use of Python's pickle.load() or pickle.loads() functions on untrusted input without implementing any validation, sandboxing, or safe deserialization alternatives. The vulnerable code path exists in the mol.py file within the Boltz data handling module. The application trusts that all pickle files in processed directories are legitimate molecule data, creating an exploitation opportunity when an attacker can introduce malicious files.

Attack Vector

The attack requires local access to the system where Boltz is running. An attacker must be able to write a specially crafted pickle file to a directory that Boltz processes for molecule data. This could be achieved through:

  1. Direct file system access on a shared or multi-user system
  2. Exploiting another vulnerability that allows file upload or write operations
  3. Social engineering a user to download a malicious pickle file to a processed directory
  4. Supply chain attacks where malicious molecule data files are distributed through trusted channels

When Boltz processes the malicious pickle file, the embedded payload executes with the same privileges as the Boltz application, enabling arbitrary command execution, reverse shells, data theft, or further system compromise.

The vulnerable code pattern involves loading pickle files without validation. For technical details on the specific implementation, see the GitHub Code Analysis and the GitHub Issue #600 Discussion.

Detection Methods for CVE-2025-70560

Indicators of Compromise

  • Unexpected pickle files appearing in Boltz molecule data directories
  • Unusual process spawning from Boltz application processes
  • Anomalous network connections initiated by processes associated with Boltz
  • File system modifications or new file creations by the Boltz process outside normal operational paths

Detection Strategies

  • Monitor for file creation events in directories processed by Boltz, particularly files with .pkl, .pickle, or related extensions
  • Implement process monitoring to detect child processes spawned by the Boltz application that deviate from normal behavior
  • Deploy endpoint detection and response (EDR) solutions to identify pickle deserialization exploitation patterns
  • Enable Python runtime security monitoring to detect suspicious module imports or os.system() calls during deserialization

Monitoring Recommendations

  • Configure file integrity monitoring (FIM) on directories used by Boltz for molecule data processing
  • Implement application-level logging to track all file loading operations within Boltz
  • Set up alerts for unusual command execution patterns originating from Python processes running Boltz
  • Review and audit access controls on directories where Boltz reads molecule data files

How to Mitigate CVE-2025-70560

Immediate Actions Required

  • Audit all directories processed by Boltz 2.0.0 for unexpected or untrusted pickle files
  • Restrict write access to Boltz data directories to trusted users and processes only
  • Consider temporarily disabling Boltz or isolating systems running Boltz until a patch is available
  • Implement additional access controls and monitoring on systems running vulnerable versions

Patch Information

No official patch information is currently available in the CVE data. Users should monitor the GitHub Issue #600 Discussion for updates on a potential fix. Until a patch is released, implementing the recommended workarounds is critical to reducing exposure.

Workarounds

  • Implement strict file system permissions to prevent untrusted users from writing to directories processed by Boltz
  • Run Boltz in an isolated environment such as a container or sandbox to limit the impact of potential exploitation
  • Pre-validate all molecule data files before processing, rejecting any files that appear to be pickle format from untrusted sources
  • Consider using alternative serialization formats such as JSON or Protocol Buffers that do not allow code execution during deserialization
bash
# Example: Restrict write permissions on Boltz data directories
chmod 755 /path/to/boltz/data
chown root:boltz-users /path/to/boltz/data
# Remove write access for non-root users
chmod o-w /path/to/boltz/data
# Monitor for new files in the directory
inotifywait -m -e create /path/to/boltz/data

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.