Rule Information
Tags
pythonmultiprocessingrecvpickledeserializationCWE-502OWASP-A08
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-073 --project .1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Rule
Understanding the vulnerability and how it is detected
Python's multiprocessing.Connection.recv() method receives and deserializes data using pickle. When data arrives on the Connection object, recv() calls pickle.loads() internally to reconstruct the Python object from the received bytes. This means that any data received via recv() executes arbitrary Python code if the sender can craft a malicious pickle payload.
multiprocessing Connections are designed for inter-process communication between trusted Python processes in the same application. They become dangerous when exposed over a network socket (via multiprocessing.connection.Client()/Listener()) to untrusted parties.
Use recv_bytes() to receive raw bytes without pickle deserialization, then parse the bytes with a safe format like JSON.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Pickle Deserialization via IPC Channel
recv() calls pickle.loads() on the received bytes. An attacker who can write to the connection (either as a MITM attacker or a malicious process connecting to an exposed Listener) can send a malicious pickle payload that executes arbitrary code in the receiving process.
2
Listener Exposed to Network
multiprocessing.connection.Listener() can bind to a TCP address. If exposed to a network-accessible address (not localhost), any client can send arbitrary pickle payloads to the Listener, achieving remote code execution.
3
Authentication Bypass
multiprocessing connections support HMAC-based authentication via the authkey parameter. Without authkey, there is no authentication and any connecting client can send pickle payloads. Even with authkey, compromised keys allow exploitation.
4
Forked Process Trust Assumption
Code that assumes recv() is safe because "it's only used with forked processes" may be vulnerable if the connection is also exposed to a network or if the expected trusted sender can be replaced by an attacker-controlled process.
How to Fix
Recommended remediation steps
- 1Replace Connection.recv() with Connection.recv_bytes() and parse the received bytes with json.loads() to avoid pickle deserialization.
- 2Always bind multiprocessing Listener() to localhost (127.0.0.1) and not to 0.0.0.0 or a network-accessible address.
- 3Use the authkey parameter for all multiprocessing connections to require HMAC authentication, even between trusted processes.
- 4For inter-process communication that must cross network boundaries, use a proper message queue (Redis, RabbitMQ) with authenticated, schema-validated payloads.
- 5Audit all multiprocessing.connection.Listener() configurations to ensure they are not exposed to untrusted network connections.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects calls to .recv() on multiprocessing Connection objects and related objects that use pickle for deserialization. The rule flags all recv() call sites to prompt review of the connection's trust boundary.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
CWE Top 25
CWE-502 - Deserialization of Untrusted Data
OWASP Top 10
A08:2021 - Software and Data Integrity Failures
NIST SP 800-53
SI-10: Information Input Validation
PCI DSS v4.0
Requirement 6.2.4 - Protect against deserialization attacks
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Pickle Deserialization of Untrusted Data
pickle.loads() and pickle.load() execute arbitrary Python code during deserialization. Never unpickle data from untrusted sources.
MEDIUM
Socket Bound to All Interfaces (0.0.0.0)
Binding a socket to 0.0.0.0 exposes the service on all network interfaces, including public-facing ones. Bind to specific interfaces in production.
MEDIUM
Paramiko exec_command() Usage
paramiko exec_command() runs commands on a remote host. Audit that command arguments are not derived from untrusted input to prevent command injection.
Frequently Asked Questions
Common questions about multiprocessing Connection.recv() Usage
recv() is safer when both ends are trusted Python processes in the same deployment.
However, if the multiprocessing Listener is bound to a network-accessible address
without authkey, any process can connect and send malicious data. Even with authkey,
a compromised key or a compromised trusted process enables attacks. Using recv_bytes()
with JSON eliminates the deserialization risk entirely.
The authkey parameter enables HMAC-based challenge-response authentication on
multiprocessing connections. It prevents unauthorized clients from connecting to
a Listener. However, it does not encrypt the connection, and if the authkey is
compromised (e.g., via environment variable exposure), unauthorized clients can
connect and send malicious pickle payloads. authkey is defense-in-depth, not a
substitute for using recv_bytes() + JSON.
recv() calls pickle.loads() on the received data to return a Python object.
recv_bytes() returns the raw bytes without deserialization. Use recv_bytes()
and then parse the bytes with a safe format (json.loads, msgpack.loads with
no Python object extension). This avoids pickle deserialization entirely.
Risk scenarios include: (1) Listener bound to 0.0.0.0 or a network interface
accessible to external clients. (2) Shared queue or pipe where external input
can reach the sender process. (3) Test infrastructure that connects to production
Listeners. (4) Container environments where network policies allow cross-container
multiprocessing connections.
Yes. multiprocessing.Queue uses pickle for serialization. Queue.get() is equivalent
to recv() in terms of deserialization risk. If an attacker can put malicious data
into a Queue (through a shared queue server or process injection), Queue.get()
will execute the malicious pickle payload.
For same-host IPC: use a Unix domain socket with JSON messages, or a shared memory
segment (multiprocessing.shared_memory) for raw data. For network IPC: use gRPC
with Protocol Buffers, or a message broker (Redis, RabbitMQ) with authenticated,
schema-validated JSON payloads. Avoid pickle-based IPC for any data that could
be influenced by external input.
New feature
Get these findings posted directly on your GitHub pull requests
The multiprocessing Connection.recv() Usage rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.