How to fix CVE-2025-70560?

Within 24 hours: Inventory all Boltz 2.0.0 deployments and identify which process untrusted molecule data; disable molecule loading functionality if not business-critical. Within 7 days: Implement network segmentation to isolate affected systems and restrict file upload sources to trusted internal channels only. Within 30 days: Monitor vendor communications for patch availability; evaluate alternative molecule processing tools or upgrade to patched version immediately upon release.

Is Python affected by CVE-2025-70560?

Boltz 2.0.0 contains a critical deserialization flaw that could allow attackers to execute arbitrary code by uploading malicious molecule data files. Any organization using this software to process molecule files from untrusted sources faces immediate risk of system compromise and data breach.

CVE-2025-70560

HIGH

2026-02-03 [email protected]

GHSA-fjm6-8xp2-4fwc

8.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 03, 2026 - 18:16 nvd

HIGH 8.4

Description

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

Analysis

Technical Context

Classified as CWE-502 (Deserialization of Untrusted Data). Affects the its molecule loading component of Boltz. Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

Affected Products

Vendor: Jwohlwend. Product: Boltz. Versions: up to 2.0.0. Component: its molecule loading.

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: 0

CVE-2025-70560 vulnerability details – vuln.today

Back

CVE-2025-70560

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-70560

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code