CVE-2022-35411: 
Python vulnerability analysis and mitigation

rpc.py through version 0.6.0 contains a Remote Code Execution vulnerability (CVE-2022-35411) that was discovered in July 2022. The vulnerability exists because an unpickle operation occurs when the 'serializer: pickle' HTTP header is sent, allowing unauthenticated clients to force the processing of data with unpickle despite JSON being the default data format (CVE Details, Medium Blog).

The vulnerability stems from the way rpc.py handles serializer selection through request headers. While JSON is the default serializer, the application allows overriding this through the 'serializer: pickle' HTTP header. When this header is sent, the application processes the data using Python's pickle module, which is known to be unsafe for deserializing untrusted data. This vulnerability affects both sync_server.py and async_server.py implementations in the examples folder (Medium Blog).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the server by sending malicious pickle payloads. This represents a critical security risk as it enables complete compromise of affected systems running rpc.py versions 0.4.2 through 0.6.0 (Medium Blog).

The vulnerability was addressed in a commit that disabled the PickleSerializer by default. The fix includes adding a warning comment indicating that pickle serialization should only be enabled when there is physical isolation from external networks (GitHub Commit).