RPyC's missing security check results in code execution when using numpy.array on the server-side.
An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the array attribute component. This vulnerability was introduced in 9f45f826. Attack Vector RPyC services that rely on the array attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named array for a a client provided netref (e.g., np.array(client_netref)), a remote attacker …