GHSA-3x5x-fw77-g54c: dmlc/dgl Vulnerable to Remote Code Execution by Pickle Deserialization via rpc.recv_request()

March 5, 2025

Dgl implements rpc server (start_server() in rpc_server.py) for supporting the RPC communications among different remote users over networks. It relies on pickle serialize and deserialize to pack and unpack network messages. The is a known risk in pickle deserialization functionality that can be used for remote code execution.

References

github.com/advisories/GHSA-3x5x-fw77-g54c
github.com/dmlc/dgl
github.com/dmlc/dgl/issues/7874
github.com/dmlc/dgl/security/advisories/GHSA-3x5x-fw77-g54c

Detect and mitigate GHSA-3x5x-fw77-g54c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →