pytries datrie Insecure Deserialization Vulnerability Leading to Arbitrary Code Execution

A critical vulnerability allowing arbitrary code execution has been identified in the pytries datrie library, specifically in versions through 0.8.3. The issue arises from the datrie.Trie class's use of pickle for deserialization in the Trie.load(), Trie.read(), and Trie.__setstate__() methods. This creates a deserialization vulnerability, as a crafted .trie file can embed a malicious pickle payload that executes arbitrary Python code when the file is loaded. The vulnerability is not present in the datrie.BaseTrie class, which does not utilize pickle. The exploitation can be performed remotely, without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the affected library is used.

Reproduction

The vulnerability can be reproduced by creating a .trie file that includes a malicious pickle payload. This can be done using a Python script that leverages the datrie library. Once the malicious .trie file is created, it can be loaded using the Trie.load() method, which will trigger the execution of the embedded code.

Remediation

Users are advised to update to a version of the pytries datrie library that has addressed this vulnerability. If no such version is available, consider replacing the library with an alternative that does not have this deserialization issue.