CVE-2019-12760
Description
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deserialization vulnerability in parso <=0.4.0 allows arbitrary code execution via malicious pickle in cache files, though disputed.
The vulnerability lies in how parso handles grammar parsing from its cache. Cache loading relies on Python's pickle module, which can deserialize arbitrary objects. If an attacker can write a malicious pickle to a cache grammar file and trigger its parsing, arbitrary code execution is possible [1][2].
Exploitation requires the attacker to have write access to the parso cache directory and the ability to induce the application to load the tampered cache file. The exact cache path can be guessed based on the file's hash [1]. This attack is not straightforward as the cache directory is typically not under attacker control [2].
The impact is arbitrary code execution with the privileges of the user running the vulnerable application. This could lead to full system compromise depending on the context [2][3].
The issue has been disputed because in common configurations the cache directory is not accessible to an attacker. However, users are advised to ensure that untrusted users cannot write to the parso cache directory. No official patch is available as of parso 0.4.0 [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parsoPyPI | <= 0.4.0 | — |
Affected products
3- parso/parsodescription
- Range: <=0.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"parso uses Python's pickle to deserialize grammar cache files without validating the integrity or origin of the cached data, enabling arbitrary code execution if an attacker can write a malicious pickle to the cache path."
Attack vector
An attacker who can write files to the target filesystem (e.g., via a separate file-upload or write primitive) can compute the deterministic cache file path, write a malicious pickle payload to that location, and then trigger parso grammar processing. When `parso.load_grammar()` or `g.parse()` is called with `cache=True`, parso deserializes the pickle from the cache file without integrity checks [CWE-502]. The PoC [ref_id=1] demonstrates this by writing an evil pickle whose `__reduce__` method executes an arbitrary system command, achieving remote code execution when the grammar is loaded.
Affected code
The vulnerability resides in parso's cache-loading mechanism, which uses Python's `pickle` module to deserialize grammar cache files. The PoC [ref_id=1] shows that `parso.load_grammar()` and `g.parse(path=..., cache=True, cache_path=...)` trigger loading of a `.pkl` cache file whose path is derived from a SHA-256 hash of the grammar file and the dummy path. The cache file path format is `{cache_path}/{implementation}-{version}-{pickle_version}/{grammar_hash}-{path_hash}.pkl` [ref_id=1].
What the fix does
The advisory does not include a published patch. The recommended remediation is to avoid using pickle for cache serialization or to ensure that cache files are stored in a directory that is not writable by untrusted users. The PoC author notes that the attack requires the attacker to be able to create folders and write files on the target [ref_id=1], which is disputed as not being a common configuration. Without a fix, users should disable caching or restrict write access to the cache directory.
Preconditions
- inputAttacker must be able to write files to the target filesystem (specifically to the parso cache directory)
- configThe vulnerable application must call parso's grammar parsing with caching enabled (cache=True)
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-22mf-97vh-x8rwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12760ghsaADVISORY
- gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7ghsax_refsource_MISCWEB
- github.com/davidhalter/parso/issues/75ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/parso/PYSEC-2019-109.yamlghsaWEB
News mentions
0No linked articles in our index yet.