Plattform
python
Komponente
cryptidy
Behoben in
1.2.5
1.2.5
CVE-2025-63675 describes a code execution vulnerability in cryptidy versions up to 1.2.4. This flaw arises from the insecure use of the pickle.loads function, allowing an attacker to potentially execute arbitrary code. The vulnerability is located in the aesdecryptmessage function within the symmetric_encryption.py file. A fix is available in version 1.2.5.
Successful exploitation of CVE-2025-63675 could allow an attacker to execute arbitrary code on the system running the cryptidy library. This could lead to complete system compromise, data theft, or the installation of malicious software. The use of pickle.loads with untrusted data is a well-known security risk, as it allows deserialization of arbitrary Python objects, potentially containing malicious code. This vulnerability is particularly concerning in environments where cryptidy is used to process data from untrusted sources.
CVE-2025-63675 was published on 2025-10-31. Its exploitation probability is considered medium due to the potential for remote code execution. No public proof-of-concept exploits are currently known, but the vulnerability's severity suggests it is likely to be targeted. Refer to the cryptidy project's security advisories for updates and further information.
Systems utilizing cryptidy for symmetric encryption, particularly those processing data from untrusted sources, are at risk. This includes applications that integrate cryptidy for secure communication or data storage, especially if they lack robust input validation mechanisms. Development environments using older versions of cryptidy are also vulnerable.
• python / server:
import os
import pickle
def check_cryptidy_version():
try:
import cryptidy
version = cryptidy.__version__
if version <= '1.2.4':
print(f"Vulnerable cryptidy version detected: {version}")
else:
print(f"Cryptidy version is safe: {version}")
except ImportError:
print("cryptidy is not installed.")
check_cryptidy_version()disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-63675 is to upgrade cryptidy to version 1.2.5 or later. If upgrading is not immediately possible, avoid processing data from untrusted sources with cryptidy. Implement strict input validation and sanitization to prevent malicious data from being processed. Consider using alternative serialization formats that are less vulnerable to code execution attacks. After upgrading, confirm the vulnerability is resolved by attempting to process a known malicious pickle file; it should be rejected or handled safely.
Actualice la biblioteca cryptidy a una versión que no sea vulnerable. Si no hay una versión disponible, evite usar la función aes_decrypt_message o implemente una solución que no use pickle.loads para deserializar datos no confiables. Considere usar un formato de serialización más seguro como JSON o un esquema de validación estricto para los datos deserializados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-63675 is a medium severity vulnerability affecting cryptidy versions up to 1.2.4. It allows an attacker to execute arbitrary code due to the insecure use of the pickle.loads function.
You are affected if you are using cryptidy version 1.2.4 or earlier. Check your installed version and upgrade to 1.2.5 or later to mitigate the risk.
Upgrade cryptidy to version 1.2.5 or later. If upgrading is not possible immediately, implement strict input validation to prevent untrusted data from being processed by the vulnerable function.
There is currently no evidence of active exploitation, but the public disclosure of the CVE increases the likelihood of future attacks.
Refer to the cryptidy project's official website or repository for the latest security advisories and updates related to CVE-2025-63675.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.