CVE-2025-61765 PoC — python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain

Title:python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments (CVE-2025-61765)
Description:python-socketio is a Python implementation of the Socket.IO realtime client and server. A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server deployments on which the attacker previously gained access to the message queue that the servers use for internal communications. When Socket.IO servers are configured to use a message queue backend such as Redis for inter-server communication, messages sent between the servers are encoded using the `pickle` Python module. When a server receives one of these messages through the message queue, it assumes it is trusted and immediately deserializes it. The vulnerability stems from deserialization of messages using Python's `pickle.loads()` function. Having previously obtained access to the message queue, the attacker can send a python-socketio server a crafted pickle payload that executes arbitrary code during deserialization via Python's `__reduce__` method. This vulnerability only affects deployments with a compromised message queue. The attack can lead to the attacker executing random code in the context of, and with the privileges of a Socket.IO server process. Single-server systems that do not use a message queue, and multi-server systems with a secure message queue are not vulnerable. In addition to making sure standard security practices are followed in the deployment of the message queue, users of the python-socketio package can upgrade to version 5.14.0 or newer, which remove the `pickle` module and use the much safer JSON encoding for inter-server messaging.

Proof of Concept of an unsafe pickle deserialization vulnerability in Socket.IO

# Summary

A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server deployments on which the attacker previously gained access to the message queue that the servers use for internal communications.
You can find a detailed analysis of this vulnerability in the [GitHub Advisory](https://github.com/miguelgrinberg/python-socketio/security/advisories/GHSA-g8c6-8fjj-2r4m).

# Run

There are three docker containers involved in this demo:
1. **Redis Server**: Acts as the message broker.
2. **Vulnerable Socket.IO Server**: A Flask-based server that uses python-socketio to handle WebSocket connections and communicates via Redis.
3. **Attacker Client**: A client that connects to the Socket.IO server and sends a malicious payload to exploit the vulnerability.

There is a `docker-compose.yml` file that orchestrates these containers. To run the demo, execute the following command in the directory containing the `docker-compose.yml` file:

```bash
docker-compose up --build
```

This command will build and start all three containers. The Socket.IO server will be accessible at `http://localhost:5000`, and the attacker client will automatically attempt to exploit the vulnerability upon startup. You can check the `evidence` directory for any files created by the exploit in the socketio_server container.

 [4.0K]  /data/pocs/01d2ef2df14679e20669ce65cac6a202e32e231d
├── [2.0K]  docker-compose.yml
├── [ 561]  Dockerfile.edge_server
├── [ 818]  Dockerfile.socketio_server
├── [4.0K]  edge_server
│   ├── [3.9K]  app.py
│   ├── [2.5K]  README.md
│   └── [  42]  requirements.txt
├── [6.0K]  poc.py
├── [1.4K]  README.md
└── [4.0K]  socketio_server
    ├── [8.0K]  poc.py
    ├── [ 126]  requirements.txt
    └── [9.0K]  server.py

3 directories, 11 files