CVE-2025-70560

HIGH

8.4

Descricao

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

Detalhes CVE

Pontuacao CVSS v3.18.4

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueLOCAL

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado2/3/2026

Ultima modificacao2/19/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

jwohlwend:boltz

Fraquezas (CWE)

CWE-502

Referencias

https://github.com/advisories/GHSA-fjm6-8xp2-4fwc(cve@mitre.org)

https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80(cve@mitre.org)

https://github.com/jwohlwend/boltz/issues/600(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.