CVE-2025-62703
Published: 25 November 2025
Description
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization…
more
via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates unsafe deserialization by requiring validation of incoming RPC pickle data to ensure it is within acceptable domains before processing.
Addresses the specific deserialization flaw in Fugue by requiring identification, reporting, and timely application of patches like commit 6f25326.
Reduces exposure of the FlaskRPCServer to adjacent network attackers (AV:A) by monitoring and controlling communications at system boundaries.
Security SummaryAI
CVE-2025-62703 is a remote code execution vulnerability in the Fugue framework, a unified interface for distributed computing that enables execution of Python, Pandas, and SQL code on backends like Spark, Dask, and Ray. The issue affects version 0.9.2 and prior, stemming from unsafe deserialization in the FlaskRPCServer component. Specifically, the _decode() function in fugue/rpc/flask.py directly invokes cloudpickle.loads() on incoming data without sanitization, allowing arbitrary serialized Python objects sent via RPC to be deserialized and executed on the server. The vulnerability is rated 8.8 on the CVSS v3.1 scale (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502 (Deserialization of Untrusted Data).
Attackers on an adjacent network (AV:A) can exploit this with low complexity and no privileges or user interaction required. By sending malicious pickle data through the RPC communication mechanism, an unauthenticated adversary can trigger arbitrary code execution on the server hosting the FlaskRPCServer, potentially compromising confidentiality, integrity, and availability with high impact.
The Fugue project has addressed the vulnerability via commit 6f25326779fd1f528198098d6287c5a863176fc0, as detailed in GitHub Security Advisory GHSA-xv5p-fjw5-vrj6. Security practitioners should ensure affected deployments upgrade to a patched version of Fugue beyond 0.9.2.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Fugue is a library for distributed data processing and computing, unifying Python, Pandas, SQL execution on backends like Spark, Dask, and Ray, which are commonly used in AI/ML data pipelines and workflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization via cloudpickle.loads() in FlaskRPCServer enables remote code execution by sending malicious serialized Python objects over RPC, facilitating exploitation of public-facing web applications (T1190), exploitation of remote services (T1210), and Python code execution (T1059.006).