Critical severity9.8GHSA Advisory· Published Oct 17, 2025· Updated Apr 15, 2026

CVE-2025-62515

Description

pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation in the do_action() method. The vulnerable code is located in pyquokka/flight.py at line 283 where arbitrary data from Flight clients is directly passed to pickle.loads(). When FlightServer is configured to listen on 0.0.0.0, this allows attackers across the entire network to perform arbitrary remote code execution by sending malicious pickled payloads through the set_configs action. Additional vulnerability points exist in the cache_garbage_collect, do_put, and do_get functions where pickle.loads is used to deserialize untrusted remote data.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyquokkaPyPI	<= 0.3.1	—

Affected products

Marsupialtail/QuokkaGHSA
Range: <= 0.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-f74j-gffq-vm9pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62515ghsaADVISORY
github.com/marsupialtail/quokka/blob/master/pyquokka/flight.pyghsaWEB
github.com/marsupialtail/quokka/security/advisories/GHSA-f74j-gffq-vm9pnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000