Security: pyATS depends on vulnerable ply package

[PcInfamy]

Summary

pyATS imports the ply package version 3.11, which contains a critical remote code execution vulnerability ([CVE-2025-56005](https://github.com/bohmiiidd/Undocumented-RCE-in-PLY)).

Vulnerability Details

The picklefile parameter in ply's yacc() function accepts .pkl files that are deserialized using pickle.load() without validation. This allows arbitrary code execution via malicious pickle files since Python's pickle module supports code execution during deserialization.

CVE Specification: Only version 3.11 on PyPI is officially listed, but the picklefile parameter has existed since ply 3.0+ (introduced in 2009), meaning older versions likely contain the same vulnerability.

Affected Component: ply/yacc.py — LRTable.read_pickle() via yacc(picklefile=...)

Impact

Any application using pyATS could be vulnerable to remote code execution if an attacker can control pickle files supplied to the ply parser.

References

• [CVE-2025-56005 Disclosure](https://github.com/bohmiiidd/Undocumented-RCE-in-PLY)
• [ply on PyPI](https://pypi.org/project/ply/)

Recommendation

Given that ply has not been updated since 2018, a timely security patch is unlikely. Consider:

• Short-term: Pin ply to an older version and avoid using the picklefile parameter in yacc() calls
• Long-term: Migrate parser functionality to an actively maintained alternative such as:
  • [lark](https://github.com/lark-parser/lark) - modern parser library with active development
  • [ANTLR](https://www.antlr.org/) - widely-used parser generator
  • Other maintained parsing libraries compatible with your use case