GHSA-cq46-m9x9-j8w2: 
Python vulnerability analysis and mitigation

A moderate severity insecure deserialization vulnerability (GHSA-cq46-m9x9-j8w2) was discovered in Scapy versions 2.6.1 and earlier, disclosed on October 22, 2025. The vulnerability exists in the load_session function, which performs unsafe deserialization of pickle data from .pkl.gz files without proper validation (GitHub Advisory).

The vulnerability stems from the unsafe use of pickle.load() on potentially malicious .pkl.gz files provided via the -s CLI flag or programmatically through conf.session. The affected code in main.py attempts to deserialize data using pickle.load() without any validation or restrictions on the deserialized object. This vulnerability is classified as CWE-502: Deserialization of Untrusted Data, with a CVSS v4.0 score of 5.4 (Medium) and vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability enables arbitrary code execution when untrusted data is deserialized. Any user who can trick another user into loading a crafted .pkl.gz session file can execute arbitrary Python code on the target system. The impact affects the confidentiality, integrity, and availability of the vulnerable system with high severity ratings (GitHub Advisory).

Users are advised to avoid using the 'sessions' feature (the -s option) when launching Scapy. The recommended solution is to upgrade to Scapy version 2.7.0 or later, where the session mechanism has been completely removed to address this vulnerability (GitHub Advisory, Scapy Commit).