Insecure Deserialization with msgpack-numpy
Description
The use of msgpack-numpy unpacking relies on pickle to deserialize numpy arrays containing objects, which can result in arbitrary code execution. Consider switching to a safer serialization method.
Examples
Insecure Code
python
import msgpack_numpy; msgpack_numpy.patch(); data = msgpack.unpackb(...)Secure Code
python
import json; data = json.loads(...)Remediation
Replace msgpack-numpy with a safer serialization method, such as JSON or MessagePack without numpy support.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0005 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | pickle, arbitrary code execution |
| OWASP | N/A |