Primary

Context

CPython SourcelessFileLoader Legacy PYC File Handling Improperly Bypasses Validation

Vulnerability

Patched

A vulnerability exists in CPython's import hook for legacy sourceless '.pyc' files. The issue arises because the 'SourcelessFileLoader' subclass does not correctly use 'io.open_code()' to read these files, which can lead to validation bypass. This vulnerability affects CPython versions 3.10, 3.11, 3.12, 3.13, and 3.14.

Impact

This vulnerability can be exploited by manipulating the module search path to prioritize a module's '.pyc' file, bypassing any validation that would normally be applied when using 'io.open_code()'.

Reproduction

The vulnerability can be reproduced by hooking 'io.open_code()' to perform validation and then placing a module's '.pyc' file earlier in the search path. When the module is imported, the validation will be bypassed, as the 'SourcelessFileLoader' will not be correctly handled.

Remediation

The vulnerability has been fixed in CPython. Users should update to the latest version.

Added: Mar 4, 2026, 11:19 PM

Updated: Mar 4, 2026, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

3.1

exploitability

4.2

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

3.1

exploitability

4.2

remediation

7.7

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CPython SourcelessFileLoader Legacy PYC File Handling Improperly Bypasses Validation

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Python CPython

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating