CVE-2025-63675: cryptidy allows code execution via untrusted data due to pickle.loads

October 31, 2025

cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.

References

github.com/advisories/GHSA-97w9-v595-3h5q
github.com/javiermorales36/cryptidy-analysis
github.com/netinvent/cryptidy
github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py
nvd.nist.gov/vuln/detail/CVE-2025-63675

Code Behaviors & Features

Detect and mitigate CVE-2025-63675 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →