CVE-2026-10042
Description
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
manga-image-translator RCE via unsafe pickle deserialization in share.py endpoints, allowing full container compromise without authentication when nonce is disabled.
Vulnerability
The shared API server mode in manga-image-translator contains a remote code execution vulnerability in manga_translator/mode/share.py. The /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using Python's pickle.loads() without adequate restrictions [1]. On /simple_execute, raw pickle.loads() is used when self.nonce is None, which occurs when the server is deployed with --nonce None (a documented option per the project README). The /execute endpoint always calls pickle.loads() directly, regardless of nonce configuration [1]. Versions prior to commit d7441481a7ed3236b4e0456670a9962a8c82d94d are affected [2].
Exploitation
A remote attacker who can reach the server on port 5003 can send a crafted pickle payload to either endpoint via an HTTP POST request [1]. If the server is running with --nonce None, no authentication is needed. If a nonce is configured, the attacker must know the nonce value to satisfy the X-Nonce header check, but even then the /execute endpoint remains fully exploitable [1]. The attacker crafts a malicious pickle object that executes arbitrary Python code when deserialized by pickle.loads() [3]. The server processes the payload immediately, with no user interaction required [1].
Impact
Successful exploitation allows arbitrary code execution in the server process [1][3]. The default Docker deployment runs the process as root, giving the attacker full compromise of the container [1]. Depending on Docker configuration, this may enable container escape and host-level compromise [1]. The confidentiality, integrity, and availability of the application and host are completely lost.
Mitigation
The vulnerability is fixed in commit d7441481a7ed3236b4e0456670a9962a8c82d94d (merge of pull request #1142) [2][4]. The fix replaces all instances of pickle.loads() with restricted_loads(), which enforces a module allowlist and prevents arbitrary code deserialization [2][4]. Users should update to the latest commit or version containing this fix. If patching is not immediately possible, do not deploy the shared API server reachable from untrusted networks, and avoid using --nonce None [1]. No workaround short of restricting network access is available for unpatched instances.
- [Bug]: Unauthenticated RCE via pickle deserialization in shared API server
- Merge pull request #1142 from AAtomical/fix/shared-api-execute-pickle… · zyddnys/manga-image-translator@d744148
- manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model
- fix: use restricted_loads in /execute endpoint to prevent RCE (CWE-502) by AAtomical · Pull Request #1142 · zyddnys/manga-image-translator
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1d7441481a7edMerge pull request #1142 from AAtomical/fix/shared-api-execute-pickle-rce
1 file changed · +2 −5
manga_translator/mode/share.py+2 −5 modified@@ -140,10 +140,7 @@ async def execute_method(request: Request, method_name: str = Path(...)): self.check_nonce(request) self.check_lock() method = self.get_fn(method_name) - if self.nonce is None: - attr = pickle.loads(await request.body()) - else: - attr = restricted_loads(await request.body()) + attr = restricted_loads(await request.body()) try: if asyncio.iscoroutinefunction(method): result = await method(**attr) @@ -161,7 +158,7 @@ async def execute_method(request: Request, method_name: str = Path(...)): self.check_nonce(request) self.check_lock() method = self.get_fn(method_name) - attr = pickle.loads(await request.body()) + attr = restricted_loads(await request.body()) # 根据端点类型决定是否使用占位符优化 config = attr.get('config')
Vulnerability mechanics
Root cause
"Unsafe deserialization of untrusted pickle data via `pickle.loads()` in the `/execute` and `/simple_execute` endpoints of `share.py`."
Attack vector
A remote attacker sends a crafted HTTP POST request to either `/execute/{method_name}` or `/simple_execute/{method_name}` with a malicious pickle payload as the body. When the server is started with `--nonce None` (a documented option), no authentication is required and the attacker achieves arbitrary code execution with zero credentials [ref_id=1]. Even when a nonce is configured, the `/execute` endpoint always uses unsafe `pickle.loads()`, so an attacker who can observe or guess the plaintext `X-Nonce` header can still exploit the vulnerability [CWE-502][ref_id=1].
Affected code
The vulnerability resides in `manga_translator/mode/share.py` in the `/execute/{method_name}` and `/simple_execute/{method_name}` endpoints. The `/execute` endpoint unconditionally called `pickle.loads()` on the request body, while `/simple_execute` only used `restricted_loads()` when a nonce was set, falling back to unsafe `pickle.loads()` when `self.nonce is None` [patch_id=3100789][ref_id=1].
What the fix does
The patch replaces both `pickle.loads()` calls with `restricted_loads()`, which enforces an allowlist of permitted module/class combinations during deserialization [patch_id=3100789][ref_id=2]. In the `/execute` endpoint the unconditional `pickle.loads()` was replaced, and in `/simple_execute` the conditional branch that fell back to `pickle.loads()` when `self.nonce is None` was removed so that `restricted_loads()` is always used. This prevents an attacker from supplying a `__reduce__` gadget that executes arbitrary system commands.
Preconditions
- configThe server must be running in shared API server mode (`python -m manga_translator shared`)
- networkNetwork access to the server's port (default 5003)
- authIf a nonce is configured, the attacker must know or capture the nonce value from plaintext HTTP traffic
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94dnvd
- github.com/zyddnys/manga-image-translator/issues/1141nvd
- github.com/zyddnys/manga-image-translator/pull/1142nvd
- www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-modelnvd
News mentions
0No linked articles in our index yet.