Platform
python
Component
cryptidy
Fixed in
1.2.5
1.2.5
CVE-2025-63675 describes a code execution vulnerability in cryptidy versions up to 1.2.4. This flaw arises from the insecure use of the pickle.loads function, allowing an attacker to potentially execute arbitrary code. The vulnerability is located in the aesdecryptmessage function within the symmetric_encryption.py file. A fix is available in version 1.2.5.
The vulnerability allows an attacker to execute arbitrary code on a system running vulnerable versions of cryptidy. This is achieved by crafting a malicious pickled object and sending it to the aesdecryptmessage function for deserialization. Successful exploitation could lead to complete system compromise, including data theft, modification, or denial of service. The impact is particularly severe because pickle.loads is inherently unsafe when handling untrusted data, as it can execute arbitrary code during deserialization. This resembles other deserialization vulnerabilities that have led to significant breaches.
The vulnerability was publicly disclosed on 2025-10-31. There is no indication of active exploitation campaigns at this time, but the availability of a public CVE suggests that the vulnerability is likely to be targeted. The use of pickle.loads with untrusted data is a well-known security risk, increasing the probability of exploitation. No KEV listing is currently available.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-63675 is to upgrade cryptidy to version 1.2.5 or later, which addresses the insecure use of pickle.loads. If upgrading is not immediately feasible, consider implementing input validation to ensure that only trusted data is passed to the aesdecryptmessage function. While not a complete solution, restricting the source of data used for decryption can reduce the attack surface. Additionally, consider using a safer serialization format like JSON instead of pickle. After upgrading, confirm the fix by attempting to decrypt a known malicious pickled object and verifying that it is rejected or handled safely.
Update the cryptidy library to a non-vulnerable version. If no version is available, avoid using the aes_decrypt_message function or implement a solution that does not use pickle.loads to deserialize untrusted data. Consider using a more secure serialization format like JSON or a strict validation schema for the deserialized data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-63675 is a medium severity vulnerability affecting cryptidy versions up to 1.2.4. It allows an attacker to execute arbitrary code due to the insecure use of the pickle.loads function.
You are affected if you are using cryptidy version 1.2.4 or earlier. Check your installed version and upgrade to 1.2.5 or later to mitigate the risk.
Upgrade cryptidy to version 1.2.5 or later. If upgrading is not possible immediately, implement strict input validation to prevent untrusted data from being processed by the vulnerable function.
There is currently no evidence of active exploitation, but the public disclosure of the CVE increases the likelihood of future attacks.
Refer to the cryptidy project's official website or repository for the latest security advisories and updates related to CVE-2025-63675.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.