Security Vulnerability: Insecure Deserialization (Pickle) leading to RCE #462
Description
Security Vulnerability Report: Insecure Deserialization in datacompy
Date: November 30, 2025
Reporter: [ArcanaAI Penetration Testing Agent]
Target Repository: capitalone/datacompy
Executive Summary
A Critical-Severity Insecure Deserialization vulnerability exists in datacompy, specifically within the fugue.py module (and potentially others utilizing pickle). The library uses Python's pickle module to serialize and deserialize dataframes/objects.
pickle is inherently insecure. If an application uses datacompy to process data from untrusted sources (e.g., a user-uploaded file), an attacker can craft a malicious pickle payload that executes arbitrary code (Remote Code Execution - RCE) upon deserialization.
Vulnerability Details
1. Insecure Pickle Usage
Location: datacompy/fugue.py
Method: deserialize (or similar internal helpers)
Line: ~118, ~197
Vulnerable Code Pattern:
import pickle
...
data = pickle.loads(payload)Impact:
Complete system compromise. RCE allows the attacker to take full control of the python process and the underlying server.
Remediation
Replace pickle with a secure serialization format.
- Use
JSONfor simple data structures. - Use
ParquetorArrowfor DataFrames. - If
pickleis absolutely required for internal state, sign the data usingHMACto ensure integrity and prevent tampering.
Disclosure Timeline
- 2025-11-30: Vulnerability identified.
- 2025-11-30: Report generated.