TROYANOSYVIRUS
Back to CVEs

CVE-2025-70560

HIGH
8.4

Description

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

CVE Details

CVSS v3.1 Score8.4
SeverityHIGH
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/3/2026
Last Modified2/19/2026
Sourcenvd
Honeypot Sightings0

Affected Products

jwohlwend:boltz

Weaknesses (CWE)

CWE-502

References

https://github.com/advisories/GHSA-fjm6-8xp2-4fwc(cve@mitre.org)
https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80(cve@mitre.org)
https://github.com/jwohlwend/boltz/issues/600(cve@mitre.org)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.