{"id":"PYSEC-2024-44","details":"In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.","aliases":["CVE-2024-27758","GHSA-h5cg-53g7-gqjw"],"modified":"2024-03-12T19:41:32.129797Z","published":"2024-03-12T16:15:00Z","references":[{"type":"WEB","url":"https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09"},{"type":"ADVISORY","url":"https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw"}],"affected":[{"package":{"name":"rpyc","ecosystem":"PyPI","purl":"pkg:pypi/rpyc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.0.0"}]}],"versions":["3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","4.0.0","4.0.1","4.0.2","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","5.0.0","5.0.1","5.1.0","5.2.1","5.2.2","5.2.3","5.3.0","5.3.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/rpyc/PYSEC-2024-44.yaml"}}],"schema_version":"1.7.3"}