Primary

Context

Pyro Pickle Protocol Unauthenticated Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in Pyro versions 3.16 and prior, due to unsafe deserialization of untrusted data by the pickle protocol. When a crafted pickled string message is sent to a Pyro server, it is deserialized without any authentication or integrity checks, allowing attackers to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability leads to unauthenticated remote code execution on the affected server.

Remediation

Users are advised to migrate to Pyro5, which does not use pickle for serialization by default and offers safer alternatives. If an immediate migration is not possible, Pyro3 should be used only over trusted networks and channels.

Added: Apr 13, 2026, 8:29 PM

Updated: Apr 13, 2026, 8:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

8.2

remediation

7.9

relevance

5.8

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

8.2

remediation

7.9

relevance

5.8

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pyro Pickle Protocol Unauthenticated Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

irmen Pyro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating