CVE-2025-70560HIGH 8.4EPSS p3.9%

CVE-2025-70560CVE-2025-70560

Description

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.14% probability of exploitation · percentile 3.9% · 2026-06-17T12:03:21Z
Published2026-02-03
Last modified2026-02-19

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/advisories/GHSA-fjm6-8xp2-4fwc
  2. https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80
  3. https://github.com/jwohlwend/boltz/issues/600

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31048
CVE
CVE-2025-1945
CVE
CVE-2025-61622
CVE
CVE-2025-45146
CVE
CVE-2026-11460
CVE
CVE-2025-46183
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.