Login Sign Up

CVE-2025-62703

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This CVE describes a remote code execution vulnerability in Fugue's RPC server implementation. Attackers can send malicious pickle data that gets deserialized without sanitization, allowing arbitrary code execution on the server. Users running Fugue version 0.9.2 or earlier with FlaskRPCServer enabled are affected.

💻 Affected Systems

Products:
  • Fugue
Versions: 0.9.2 and prior
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using FlaskRPCServer functionality. The vulnerability is in the RPC communication mechanism.

📦 What is this software?

Fugue by Fugue Project

View all CVEs affecting Fugue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Fugue server with full system access, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized code execution leading to data theft, service disruption, or installation of backdoors.

🟢

If Mitigated

Limited impact if network segmentation and proper access controls prevent exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Pickle deserialization vulnerabilities are well-understood and easily weaponized. The advisory provides technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 6f25326

Vendor Advisory: https://github.com/fugue-project/fugue/security/advisories/GHSA-xv5p-fjw5-vrj6

Restart Required: Yes

Instructions:

1. Update Fugue to a version containing commit 6f25326 or later. 2. Restart all Fugue services. 3. Verify the fix by checking the version and testing RPC functionality.

🔧 Temporary Workarounds

Disable FlaskRPCServer

all

Temporarily disable the vulnerable RPC server component if not required.

Modify Fugue configuration to disable FlaskRPCServer

Network Segmentation

all

Restrict network access to Fugue RPC endpoints.

Configure firewall rules to limit access to Fugue RPC ports

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the Fugue RPC endpoints
  • Monitor for unusual pickle deserialization patterns or unexpected code execution

🔍 How to Verify

Check if Vulnerable:

Check if Fugue version is 0.9.2 or earlier and FlaskRPCServer is enabled in configuration.

Check Version:

python -c "import fugue; print(fugue.__version__)"

Verify Fix Applied:

Verify the installed version includes commit 6f25326 and test RPC functionality with safe payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual pickle deserialization errors
  • Unexpected process execution from Fugue services
  • Abnormal RPC request patterns

Network Indicators:

  • Malformed pickle data in RPC communications
  • Unexpected outbound connections from Fugue servers

SIEM Query:

source="fugue" AND (event="deserialization_error" OR process_execution="unexpected")

📊 Metadata

CVE ID: CVE-2025-62703
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.81% exploit probability (73.7th percentile)
Published: November 25, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62703, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)