Python pickle serialization

Description
  • The Python standard library has a module called pickle that is used for serializing and deserializing objects. It's widely regarded as dangerous to unpickle data from any untrusted source.

    It was determined that this web application unpickles data from user-controlled input.
Remediation
  • The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
References