GHSA-cq46-m9x9-j8w2: Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization

October 22, 2025 (updated October 23, 2025)

An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code when a malicious session file is locally loaded via the -s option. This requires convincing a user to manually load a malicious session file.

References

github.com/advisories/GHSA-cq46-m9x9-j8w2
github.com/secdev/scapy
github.com/secdev/scapy/commit/13621d1145b3435e9d03caf20997107a84435c0b
github.com/secdev/scapy/security/advisories/GHSA-cq46-m9x9-j8w2

Code Behaviors & Features

Detect and mitigate GHSA-cq46-m9x9-j8w2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →