Critical security vulnerability in ply dependency (CVE-2025-56005) #3823
Description
Summary
Pyomo's dependency on ply introduces a critical (CVSS 9.3) deserialization vulnerability (CVE-2025-56005) disclosed on 2026-01-20. Since ply has no patched version available, this is blocking organizations using CI/CD pipelines with security scanning enabled (Snyk, Dependabot, etc.).
This isn't a runtime bug in the traditional sense—it's a transitive dependency vulnerability that requires evaluation and action from the Pyomo team.
Steps to reproduce the issue
$ pip install pyomo
$ snyk testOr any security scanner that checks for CVE-2025-56005 / SNYK-PYTHON-PLY-15046763.
Error Message
Snyk (and similar tools) report:
Issues with no direct upgrade or patch:
✗ Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-PYTHON-PLY-15046763] in ply@3.11
introduced by ply@3.11 and 1 other path(s)
No upgrade or patch available
The vulnerability is in the picklefile parameter of ply.yacc(), which deserializes pickle files without validation, enabling arbitrary code execution via crafted pickle files.
Information on your system
Pyomo version: 6.9.2
Python version: 3.12
Operating system: Linux (CI/CD)
How Pyomo was installed: PyPI
Solver: N/A (vulnerability is in parser infrastructure)
Additional information
Vulnerability references:
Questions for the team:
- Does Pyomo's usage of
ply.yacc()invoke the vulnerablepicklefileparameter? - If so, is there a configuration that avoids the vulnerable code path?
- Is migration to an alternative parser (e.g.,
lark,sly) on the roadmap?
Potential paths forward:
- Document whether Pyomo's
plyusage is actually exploitable in practice - Vendor a patched fork of
plyif the fix is straightforward - Migrate to an actively maintained parser generator
This is blocking production deployments for organizations with security policy enforcement. Any guidance on timeline or workarounds would be appreciated.