### Key Information Summary - **Vulnerability Type**: Unsafe Deserialization - **Affected Component**: `pickle.loads()` in `datapizza-ai Redis cache` - **CVSS Score**: 7.9 (High) - Base Score 3.1 (per CVSS v3) - **Affected Versions**: `datapizza-ai` v0.0.7 - **Vulnerable Source Code**: [oportunistic function in `redis/cache.py`](https://github.com/datapizza-labs/datapizza-ai/blob/v0.0.7/datapizza/ai/cache/redis/cache.py) --- #### Detailed Information - **Root Cause**: The use of `pickle` deserialization function to parse objects retrieved from the Redis library, leading to arbitrary command execution risks. - **Attack Surface**: - Data Reading: Redis cache containing malicious serialized objects. - Execution: When deserializing objects read from the cache, the `__reduce__` method is invoked to execute arbitrary system commands. - **Example Command Injection**: - Malicious object executes `touch cachepwnd` command. - Can be injected via the Redis interface. --- #### Impact Assessment - **Long-term Risk**: Attackers can achieve full server host takeover. - **Potential Poisoning Scenario**: Attackers can control model behavior through cache injection, such as forging cache query results. - **Example**: Successful command injection execution, resulting in the creation of a `cachepwnd` file. --- #### References and Author - **Vulnerability Details**: [Official Python `pickle` Documentation](https://docs.python.org/3/library/pickle.html) - **Discovery/Disclosure**: Edoardo Ottavianelli `(@edoardottt)`