CVE-2025-62515

CVE-2025-62515 is a critical deserialization vulnerability (CWE-502) in the pyquokka framework, a Python library for building time series data lakes. It affects versions 0.3.1 and prior, where the FlightServer class in pyquokka/flight.py directly invokes pickle.loads() on action bodies from Flight clients without sanitization or validation. This occurs in the do_action() method at line 283, as well as in cache_garbage_collect, do_put, and do_get functions, allowing untrusted remote data to be deserialized unsafely. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability if the FlightServer is configured to listen on 0.0.0.0, exposing it network-wide. No authentication or privileges are required, enabling unauthenticated adversaries to send malicious pickled payloads via the set_configs action or other affected endpoints. Successful exploitation results in arbitrary remote code execution on the server, with high confidentiality, integrity, and availability impacts.

The primary advisory is published at https://github.com/marsupialtail/quokka/security/advisories/GHSA-f74j-gffq-vm9p, which details the vulnerability and likely includes guidance on patches or mitigations such as upgrading to a fixed version or restricting FlightServer bindings.