giantspatula SewKinect Remote Code Execution Vulnerability via Unsafe Deserialization

A remote code execution vulnerability exists in giantspatula SewKinect versions prior to 7fd963ceb3385af3706af02b8a128a13399dffb1. The issue arises in the '/calculate' endpoint, where the function 'pickle.loads' is used to deserialize user-supplied data without proper validation. This vulnerability allows attackers to craft malicious pickle payloads that, when deserialized, can execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, which could lead to a complete system compromise, unauthorized data access, or disruption of services.

Reproduction

To reproduce this vulnerability, send a POST request to the '/calculate' endpoint with base64-encoded pickled objects in the 'body_parts' and 'point_cloud' fields. The 'body_parts' field should contain a malicious payload designed to execute commands on the server, while the 'point_cloud' field can be a regular pickled object, such as 'None'.

Remediation

It is recommended to avoid using 'pickle.loads' on untrusted data. Instead, use a safer serialization format like JSON. Additionally, validate and sanitize all user inputs before processing.