Share
## https://sploitus.com/exploit?id=FC907254-C414-5166-9A52-7E2A3B726E19
# Ply 3.11 Exploit Rejection #

This project argues that CVEโ€‘2025โ€‘56005 be rejected.

## Argument 1: The Proof of Concept does not complete sucessfully ##

In this project the [code from the proof of concept](https://github.com/bohmiiidd/Undocumented-RCE-in-PLY/blob/52e183fe1fc4f2009e53b2ba2654d8caeb5ce38d/README.md?plain=1#L94-L130)
has been copied to [`main.py`](./main.py).

### Run the proof of concept ###

To run the exploit ensure that you have installed [`uv`](https://docs.astral.sh/uv/getting-started/installation/)

Run

```shell 
uv sync
```

this will install `ply==3.11` as a project dependency.

Run

```shell
uv run main.py
```

This will run the proof of concept. This results in the program exiting early with a `AttributeError: 'function' object has no attribute 'input'`.
The text `VULNERABLE` is not in the file `/tmp/pwned`. This is not a working example of the alleged vulnerability.

## Argument 2: The proof of concept does not demonstrate Arbitrary Code Execution as claimed ##

Referring to the [proof of concept code](https://github.com/bohmiiidd/Undocumented-RCE-in-PLY/blob/52e183fe1fc4f2009e53b2ba2654d8caeb5ce38d/README.md?plain=1#L94-L130)
this does not demonstrate Arbitrary Code Execution as there is a single program running and no untrusted data has been
passed between processes. This is not a demonstration of [CWE-502](https://cwe.mitre.org/data/definitions/502.html) as claimed.