Cyber Resilience

CVE-2025-62703

HighPublic PoC

Published: 25 November 2025

Published
25 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 68.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62703 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Fugue-Project Fugue. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62703 is a remote code execution vulnerability in the Fugue framework, a unified interface for distributed computing that enables execution of Python, Pandas, and SQL code on backends like Spark, Dask, and Ray. The issue affects version 0.9.2 and prior, stemming from unsafe deserialization in the FlaskRPCServer component. Specifically, the _decode() function in fugue/rpc/flask.py directly invokes cloudpickle.loads() on incoming data without sanitization, allowing arbitrary serialized Python objects sent via RPC to be deserialized and executed on the server. The vulnerability is rated 8.8 on the CVSS v3.1 scale (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502 (Deserialization of Untrusted Data).

Attackers on an adjacent network (AV:A) can exploit this with low complexity and no privileges or user interaction required. By sending malicious pickle data through the RPC communication mechanism, an unauthenticated adversary can trigger arbitrary code execution on the server hosting the FlaskRPCServer, potentially compromising confidentiality, integrity, and availability with high impact.

The Fugue project has addressed the vulnerability via commit 6f25326779fd1f528198098d6287c5a863176fc0, as detailed in GitHub Security Advisory GHSA-xv5p-fjw5-vrj6. Security practitioners should ensure affected deployments upgrade to a patched version of Fugue beyond 0.9.2.

EU & UK References

Vulnerability details

Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization…

more

via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.

CWE(s)

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pandas

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe deserialization via cloudpickle.loads() in FlaskRPCServer enables remote code execution by sending malicious serialized Python objects over RPC, facilitating exploitation of public-facing web applications (T1190), exploitation of remote services (T1210), and Python code execution (T1059.006).

CVEs Like This One

CVE-2026-26220Shared CWE-502
CVE-2026-31234Shared CWE-502
CVE-2026-31072Shared CWE-502
CVE-2025-27780Shared CWE-502
CVE-2025-50460Shared CWE-502
CVE-2024-9701Shared CWE-502
CVE-2025-27779Shared CWE-502
CVE-2026-49121Shared CWE-502
CVE-2025-27781Shared CWE-502
CVE-2025-62373Shared CWE-502

Affected Assets

fugue-project
fugue
≤ 0.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates unsafe deserialization by requiring validation of incoming RPC pickle data to ensure it is within acceptable domains before processing.

prevent

Addresses the specific deserialization flaw in Fugue by requiring identification, reporting, and timely application of patches like commit 6f25326.

prevent

Reduces exposure of the FlaskRPCServer to adjacent network attackers (AV:A) by monitoring and controlling communications at system boundaries.

References