Source: python-socketio Version: 5.13.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-socketio. CVE-2025-61765[0]: | python-socketio is a Python implementation of the Socket.IO realtime | client and server. A remote code execution vulnerability in python- | socketio versions prior to 5.14.0 allows attackers to execute | arbitrary Python code through malicious pickle deserialization in | multi-server deployments on which the attacker previously gained | access to the message queue that the servers use for internal | communications. When Socket.IO servers are configured to use a | message queue backend such as Redis for inter-server communication, | messages sent between the servers are encoded using the `pickle` | Python module. When a server receives one of these messages through | the message queue, it assumes it is trusted and immediately | deserializes it. The vulnerability stems from deserialization of | messages using Python's `pickle.loads()` function. Having previously | obtained access to the message queue, the attacker can send a | python-socketio server a crafted pickle payload that executes | arbitrary code during deserialization via Python's `__reduce__` | method. This vulnerability only affects deployments with a | compromised message queue. The attack can lead to the attacker | executing random code in the context of, and with the privileges of | a Socket.IO server process. Single-server systems that do not use a | message queue, and multi-server systems with a secure message queue | are not vulnerable. In addition to making sure standard security | practices are followed in the deployment of the message queue, users | of the python-socketio package can upgrade to version 5.14.0 or | newer, which remove the `pickle` module and use the much safer JSON | encoding for inter-server messaging. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61765 https://www.cve.org/CVERecord?id=CVE-2025-61765 [1] https://github.com/miguelgrinberg/python-socketio/security/advisories/GHSA-g8c6-8fjj-2r4m [2] https://github.com/miguelgrinberg/python-socketio/commit/53f6be094257ed81476b0e212c8cddd6d06ca39a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
