PyPI: upsonic
CVE-2025-6279
Safety vulnerability ID: SFTY-20250619-01186
Safety legacy ID: pyup.io-78843
Affected versions of the Upsonic package are vulnerable to Deserialization of Untrusted Data due to unsafe pickle deserialization in the tool management functionality. The cloudpickle.loads function in the /tools/add_tool endpoint of the Pickle Handler component deserializes user-provided data without proper validation or sanitization, allowing arbitrary Python object deserialization.
Overview
Upsonic has vulnerability in Pickle Handler component that can lead to deserialization
Advisory
Affected versions of the Upsonic package are vulnerable to Deserialization of Untrusted Data due to unsafe pickle deserialization in the tool management functionality. The cloudpickle.loads function in the /tools/add_tool endpoint of the Pickle Handler component deserializes user-provided data without proper validation or sanitization, allowing arbitrary Python object deserialization.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250619-01186/CVE-2025-6279
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6279
- https://github.com/advisories/GHSA-rpfv-46xj-5984
- https://nvd.nist.gov/vuln/detail/CVE-2025-6279
- https://github.com/Upsonic/Upsonic/issues/353
- https://vuldb.com/?ctiid.313283
- https://vuldb.com/?id.313283
- https://vuldb.com/?submit.593099
- https://github.com/Upsonic/Upsonic/pull/360
- https://github.com/Upsonic/Upsonic/pull/360#issuecomment-2979387098
- https://github.com/Upsonic/Upsonic/commit/a54529acc6e4bfe28f4f5c80c058144348a306b7
- https://github.com/pypa/advisory-database/tree/main/vulns/upsonic/PYSEC-2025-68.yaml
- https://github.com/advisories/GHSA-rpfv-46xj-5984
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more