CVE-2025-63675: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-63675) was discovered in the cryptidy Python library affecting versions through 1.2.4. The vulnerability allows code execution via untrusted data due to unsafe usage of pickle.loads in the aes_decrypt_message function within symmetric_encryption.py. The vulnerability was disclosed on October 31, 2025, and received a CVSS v3.1 score of 6.9 (Medium) (NVD, Miggo).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and exists in the cryptidy library's decryption functionality. The core issue lies in the aes_decrypt_message function within cryptidy/symmetric_encryption.py, which uses pickle.loads to deserialize decrypted data without proper validation. The vulnerability affects both symmetric and asymmetric decryption operations through multiple vulnerable functions including decrypt_message and rsa_decrypt_message. The CVSS vector string is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L, indicating local access required but high potential impact (Miggo).

The vulnerability can lead to remote code execution (RCE), information disclosure, denial of service, and potential privilege escalation when processing malicious encrypted data. The impact is particularly severe as it allows attackers to execute arbitrary code on the target system through carefully crafted payloads (GitHub Analysis).

Security researchers recommend avoiding pickle for untrusted input and suggest using safe formats such as JSON or vetted serialization libraries with explicit schemas. If binary serialization is required, implementing strict validation and restricting the set of permitted classes during deserialization is crucial. The principle of least privilege should be applied to ensure code performing deserialization runs with minimal privileges (GitHub Analysis).