PyPI · pypi.org
defirl
Py Runtime Pickle Loads: pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled.
Why PkgRadar flagged 1.2.6
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Runtime Pickle Loads | pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · defirl-1.2.6/src/defirl/rl.py |
| medium | Py Runtime Pickle Loads | pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · defirl-1.2.6/src/defirl/rlhf_long.py |
| medium | Py Runtime Pickle Loads | pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · defirl-1.2.6/src/defirl/rlhf_rdql.py |
| medium | Py Runtime Pickle Loads | pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · defirl-1.2.6/src/defirl/rlhf_short.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
1.3.2 | Low risk | 0 | 2026-06-14 |
1.3.1 | Low risk | 0 | 2026-06-11 |
1.3.0 | Low risk | 0 | 2026-06-07 |
1.2.9 | Low risk | 0 | 2026-06-04 |
1.2.8 | Low risk | 0 | 2026-06-04 |
1.2.6 | Review | 27 | 2026-05-26 |
Block this in CI
pkgradar gate --ecosystem pypi defirl==1.2.6