Pyod
Monthly
Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.
Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.