rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| rpc.py(PyPI) | 0.4.2 | N/A | N/A |
CVSS Metrics
