CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
        • Airflow
        • Attr
        • Aws-lambda
        • Bokeh
        • Boto3
        • Cassandra
        • Click
        • Correctness
        • Couchbase
        • Cryptography
        • Distributed
        • Django
        • Docker
        • Elasticsearch
        • Fastapi
        • Flask
        • Jinja2
        • Jwt
        • Lang
          • Best practice
          • Code
          • Compatibility
          • Correctness
          • Correctness
          • Deserialization
            • Tainted-dill
            • Tainted-json
            • Tainted-jsonpickle
            • Tainted-marshal
            • Tainted-numpy-pickle
              • Tainted numpy pickle
            • Tainted-pandas-hdf
            • Tainted-pandas-pickle
            • Tainted-pickle
            • Tainted-pyyaml
            • Tainted-ruamel
            • Tainted-shelve
            • Tainted-torch-pickle
          • File
          • Hardcoded
          • Maintainability
          • Os
          • Security
          • Security
        • Ldap3
        • Mariadb
        • Mysql
        • Mysqlclient
        • Neo4j
        • Openai
        • Peewee
        • Pg8000
        • Psycopg2
        • Pycryptodome
        • Pyjwt
        • Pymongo
        • Pymssql
        • Pymysql
        • Pyramid
        • Redis
        • Requests
        • Sh
        • Sqlalchemy
        • Tormysql
        • Urllib3
        • Webrepl
        • Wtforms
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Tainted-numpy-pickle

    Tainted numpy pickle

    tainted-numpy-pickle

    The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The numpy.load() function allows pickle for object deserialization. This behaviour is turned off by default in version 1.16.3. Do not turn this on with allow_pickle=True when loading data from untrusted sources.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures
    Tainted marshalTainted pandas hdf
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.