プラットフォーム
python
コンポーネント
cryptidy
修正版
1.2.5
1.2.5
CVE-2025-63675 describes a code execution vulnerability in cryptidy versions up to 1.2.4. This flaw arises from the insecure use of the pickle.loads function, allowing an attacker to potentially execute arbitrary code. The vulnerability is located in the aesdecryptmessage function within the symmetric_encryption.py file. A fix is available in version 1.2.5.
The vulnerability allows an attacker to execute arbitrary code on a system running vulnerable versions of cryptidy. This is achieved by crafting a malicious pickled object and sending it to the aesdecryptmessage function for deserialization. Successful exploitation could lead to complete system compromise, including data theft, modification, or denial of service. The impact is particularly severe because pickle.loads is inherently unsafe when handling untrusted data, as it can execute arbitrary code during deserialization. This resembles other deserialization vulnerabilities that have led to significant breaches.
The vulnerability was publicly disclosed on 2025-10-31. There is no indication of active exploitation campaigns at this time, but the availability of a public CVE suggests that the vulnerability is likely to be targeted. The use of pickle.loads with untrusted data is a well-known security risk, increasing the probability of exploitation. No KEV listing is currently available.
Systems utilizing cryptidy for symmetric encryption, particularly those processing data from untrusted sources, are at risk. This includes applications that integrate cryptidy for secure communication or data storage, especially if they lack robust input validation mechanisms. Development environments using older versions of cryptidy are also vulnerable.
• python / server:
import os
import pickle
def check_cryptidy_version():
try:
import cryptidy
version = cryptidy.__version__
if version <= '1.2.4':
print(f"Vulnerable cryptidy version detected: {version}")
else:
print(f"Cryptidy version is safe: {version}")
except ImportError:
print("cryptidy is not installed.")
check_cryptidy_version()disclosure
エクスプロイト状況
EPSS
0.05% (16% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-63675 is to upgrade cryptidy to version 1.2.5 or later, which addresses the insecure use of pickle.loads. If upgrading is not immediately feasible, consider implementing input validation to ensure that only trusted data is passed to the aesdecryptmessage function. While not a complete solution, restricting the source of data used for decryption can reduce the attack surface. Additionally, consider using a safer serialization format like JSON instead of pickle. After upgrading, confirm the fix by attempting to decrypt a known malicious pickled object and verifying that it is rejected or handled safely.
Actualice la biblioteca cryptidy a una versión que no sea vulnerable. Si no hay una versión disponible, evite usar la función aes_decrypt_message o implemente una solución que no use pickle.loads para deserializar datos no confiables. Considere usar un formato de serialización más seguro como JSON o un esquema de validación estricto para los datos deserializados.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-63675 is a medium severity vulnerability affecting cryptidy versions up to 1.2.4. It allows an attacker to execute arbitrary code due to the insecure use of the pickle.loads function.
You are affected if you are using cryptidy version 1.2.4 or earlier. Check your installed version and upgrade to 1.2.5 or later to mitigate the risk.
Upgrade cryptidy to version 1.2.5 or later. If upgrading is not possible immediately, implement strict input validation to prevent untrusted data from being processed by the vulnerable function.
There is currently no evidence of active exploitation, but the public disclosure of the CVE increases the likelihood of future attacks.
Refer to the cryptidy project's official website or repository for the latest security advisories and updates related to CVE-2025-63675.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。