Can you break our pickle sandbox? Blog + exploit challenge inside

I’ve been working on a different approach to pickle security with a friend. We wrote up a blog post about it and built a challenge to test if it actually holds up. The basic idea: we intercept and block the dangerous operations at the interpreter level during deserialization (RCE, file access, network calls, etc.). Still experimental, but we tested it against 32+ real vulnerabilities and got <0.8% performance overhead. Blog post with all the technical details: https://iyehuda.substack.com/p/we-may-have-finally-fixed-pythons Challenge site (try to escape): https://pickleescape.xyz Curious what you all think – especially interested in feedback if you’ve dealt with pickle issues before or know of edge cases we might have missed. submitted by /u/valmarelox [link] [comments]Technical Information Security Content & DiscussionRead More