On 1/23/26 11:06, Alan Coopersmith wrote:
https://github.com/bohmiiidd/Undocumented-RCE-in-PLY claims:
Undocumented Remote Code Execution in PLY CVE-2025-56005
--------------------------------------------------------
https://www.cve.org/CVERecord?id=CVE-2025-56005 has added to the references
a link to https://github.com/tom025/ply_exploit_rejection which argues that
this CVE should be rejected because:
## Argument 1: The Proof of Concept does not complete sucessfully ##
In this project the code from the proof of concept has been copied to main.py.
### Run the proof of concept ###
To run the exploit ensure that you have installed uv.
Run
uv sync
this will install `ply==3.11` as a project dependency.
Run
uv run main.py
This will run the proof of concept. This results in the program exiting early
with a `AttributeError: 'function' object has no attribute 'input'`.
The text `VULNERABLE` is not in the file `/tmp/pwned`. This is not a working
example of the alleged vulnerability.
## Argument 2: The proof of concept does not demonstrate Arbitrary Code
Execution
as claimed ##
Referring to the proof of concept code this does not demonstrate Arbitrary Code
Execution as there is a single program running and no untrusted data has been
passed between processes. This is not a demonstration of CWE-502 as claimed.
See the github repo for the code project in question.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
