CVE-2025-70560

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-70560

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70560.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-70560

Aliases

GHSA-fjm6-8xp2-4fwc

Published

2026-02-03T18:16:17.900Z

Modified

2026-03-13T03:50:36.349260Z

Severity

8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

References

Affected packages

Git / github.com/jwohlwend/boltz

Affected ranges

Type

GIT

Repo

https://github.com/jwohlwend/boltz

Events

Introduced

Last affected

afe4aa657e80bc2974c27b7095bc0ff1091d7150

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v0.3.2

v0.4.0

v0.4.1

v1.*

v1.0.0

v2.*

v2.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70560.json"