PyPI: rpc-py

CVE-2022-35411

Safety vulnerability ID: SFTY-20220708-03846

Safety legacy ID: pyup.io-54433

Rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. A fix for this issue is on master branch of the project's Github repository. https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 14, 2026Updated at: Apr 14, 2026

Overview

rpc.py vulnerable to Deserialization of Untrusted Data

Advisory

Rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle. A fix for this issue is on master branch of the project's Github repository. https://github.com/abersheeran/rpc.py/commit/491e7a841ed9a754796d6ab047a9fb16e23bf8bd

Affected Package

Affecting rpc-py package, versions
>=0.4.2

Also affects

---

How to Fix

Upgrade
rpc-py
to
0.1.1
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more