CVE-2025-63675: 
Python vulnerability analysis and mitigation

A remote code execution vulnerability was discovered in the cryptidy Python library through version 1.2.4. The vulnerability stems from the unsafe use of pickle.loads in the aesdecryptmessage function within symmetric_encryption.py, which allows for deserialization of untrusted data (GitHub Analysis, NVD).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 6.9 (Medium). The attack vector is local (AV:L), requires high attack complexity (AC:H), needs no privileges (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality (C:H) and integrity (I:H), and low impact on availability (A:L) (NVD).

The vulnerability can lead to remote code execution (RCE), information disclosure, denial of service, and potential privilege escalation when malicious encrypted data is processed by the affected component (GitHub Analysis).

Security researchers recommend avoiding pickle for untrusted input and suggest using safe formats such as JSON or vetted serialization libraries with explicit schemas. If binary serialization is required, implement strict validation and restrict the set of permitted classes during deserialization. Additionally, applying the principle of least privilege is recommended to ensure code that performs deserialization runs with minimal privileges (GitHub Analysis).