CVE-2025-10974
📋 TL;DR
This CVE describes a remote code execution vulnerability in giantspatula SewKinect's /calculate endpoint due to unsafe deserialization via pickle.loads. Attackers can exploit this by sending malicious payloads to manipulate body_parts/point_cloud parameters, potentially gaining control of affected systems. All users running vulnerable versions of SewKinect are affected.
💻 Affected Systems
- giantspatula SewKinect
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full system control, executes arbitrary code, installs malware, or exfiltrates sensitive data.
Likely Case
Remote code execution leading to service disruption, data manipulation, or initial foothold for further attacks.
If Mitigated
Attack attempts are blocked at network perimeter or application firewall, with no successful exploitation.
🎯 Exploit Status
Exploit disclosed publicly; remote unauthenticated attack possible via HTTP requests to /calculate endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit after 7fd963ceb3385af3706af02b8a128a13399dffb1
Vendor Advisory: https://github.com/giantspatula/SewKinect/issues/3
Restart Required: Yes
Instructions:
1. Pull latest code from repository. 2. Verify commit hash is newer than 7fd963ceb3385af3706af02b8a128a13399dffb1. 3. Restart SewKinect service.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to SewKinect /calculate endpoint to trusted IPs only.
Input Validation
allImplement strict input validation for body_parts/point_cloud parameters before pickle.loads.
🧯 If You Can't Patch
- Implement WAF rules to block pickle deserialization patterns in HTTP requests.
- Isolate SewKinect instances in restricted network segments with no internet access.
🔍 How to Verify
Check if Vulnerable:
Check git commit hash: if at or before 7fd963ceb3385af3706af02b8a128a13399dffb1, system is vulnerable.Check Version:
git log --oneline -1Verify Fix Applied:
Verify current commit hash is newer than 7fd963ceb3385af3706af02b8a128a13399dffb1.📡 Detection & Monitoring
Log Indicators:
- Unusual pickle.loads errors in application logs
- HTTP requests to /calculate with large or malformed payloads
Network Indicators:
- HTTP POST requests to /calculate endpoint with pickle serialized data
SIEM Query:
source="sewkinect.log" AND "pickle.loads" AND error🔗 References
- https://github.com/giantspatula/SewKinect/issues/3
- https://github.com/giantspatula/SewKinect/issues/3#issue-3408883003
- https://vuldb.com/?ctiid.325845
- https://vuldb.com/?id.325845
- https://vuldb.com/?submit.653270
- https://github.com/giantspatula/SewKinect/issues/3
- https://github.com/giantspatula/SewKinect/issues/3#issue-3408883003
