Machine Spirits Logo
All Advisories

mercure

Pickle Deserialization via Unauthenticated Redis

mercure's job queue (RQ) stores jobs in Redis and deserializes them with Python's pickle. In the stock deployment Redis has no authentication and is reachable from every container on the Docker network. An attacker who already has a foothold on that network can place a crafted job in Redis; when the worker dequeues it, pickle deserialization runs the attacker's code on the worker.

Authored byVolker Schönefeld, Simon Weber2026-05-30
SeverityHighCVSS 7.8CVSS 3.1 VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCWECWE-502 (Deserialization of Untrusted Data)ProductmercureAffected VersionsAll releases from 0.2.0-beta.1 through 0.4.0-beta.9.Fixed In0.4.1. Redis now requires authentication (the application refuses to start without a password) and runs on an internal Docker network with no port exposed to the host, closing the unauthenticated-Redis access path.CVEPendingGHSAPending

Description

mercure is an open-source DICOM orchestration platform; we appreciate the maintainers' prompt, constructive response to this report. mercure distributes background work through RQ, a Redis-backed job queue.

RQ's default serializer is Python's pickle, and mercure creates its queues without overriding it:

app/webinterface/common.py:23-26

from redis import Redis
from rq import Queue


redis = Redis.from_url(os.getenv("REDIS_URL", "redis://localhost:6379/0"))
rq_slow_queue = Queue(name="mercure_slow", connection=redis)   # no serializer=
rq_fast_queue = Queue(name="mercure_fast", connection=redis)   # no serializer=

View source →

The worker is started without a --serializer flag, so it deserializes every job with pickle, and in the stock compose Redis runs with no password and no network isolation, reachable from every container on the Docker bridge:

docker/docker-compose.yml (Redis)

redis:
    image: redis
    restart: always
    command: redis-server --save 20 1

View source →

Deserializing with pickle is unsafe by design: a crafted object runs code through Python's __reduce__ protocol the moment it is loaded. An attacker with network access to Redis writes a job whose pickled field carries such an object and pushes its ID onto the queue; when the worker calls Job.restore(), the payload executes as the mercure user on the worker. We are not publishing a working payload.

Redis is not exposed to the host in the stock deployment, so this is reached by pivoting from another container, such as the unauthenticated receiver RCE. Once on the Docker network, no credentials are required.

Command execution on the worker is confirmed by the output of an injected id:

Proof-of-concept output

uid=1000(mercure) gid=1000(mercure) groups=1000(mercure)

Impact

  • An attacker with access to any container on the Docker network can run code on the worker containers, which hold the shared config and data volumes. No credentials are required to reach Redis in the stock deployment.
  • Execution is silent: the payload runs during job restore, before job-level logging, and the worker continues normally.
  • Chained with the unauthenticated receiver RCE, a remote attacker who can reach the DICOM port reaches worker code execution with no authentication at any stage.
  • For a hospital or clinic, this means an attacker who already has a foothold in the deployment can take over the workers that process imaging jobs, with no password required.

Mitigation

Upgrade to mercure 0.4.1, which requires a Redis password (the application will not start without one) and places Redis on an internal Docker network with no exposed port, closing the unauthenticated access path. For defense in depth on any RQ deployment, switch the queue and worker to RQ's JSON serializer so that job data is never unpickled, and keep Redis on an isolated network reachable only by the services that need it.

Defender's Checklist

  • Upgrade to 0.4.1 or later

    Deploy the patched release; confirm Redis is password-protected and not reachable from outside its network.

  • Isolate Redis

    Ensure Redis is on an internal network with no host port mapping and reachable only by the services that need it.

  • Consider JSON serialization

    Where feasible, run RQ with its JSON serializer so worker jobs are never unpickled.

Severity Reasoning

AV:LRedis is not exposed to the host; the attack requires an existing foothold on the Docker network, modeled as local access.AC:LA single crafted job is sufficient; no special conditions.PR:LReaching Redis requires a position on the Docker network but no application credentials.UI:NThe worker deserializes the job automatically on dequeue.S:UCode runs within the worker's scope.C/I/A:HCode execution on the worker yields full read, modification, and denial over the data and volumes it holds.

References

How We Can Help

Who We Are

The security researchers behind this advisory.

Dr. Simon Weber Profile

Dr. rer. nat. Simon Weber

Senior Pentester & MedSec Researcher

I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.

  • PhD on Hospital Cybersecurity
  • Critical vulnerabilities found in hospital systems
  • Alumni of THB MedSec Research Group
  • gematik Security Hero
Volker Schönefeld Profile

Dipl.-Inf. Volker Schönefeld

Senior Application Security Expert

As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.

  • 20+ years as CTO, 50M+ app downloads
  • Architected and secured large-scale IoT fleets
  • Certified Web Exploitation Specialist
  • gematik Security Hero
View Full Team Profiles

Looking for a Penetration Test?

Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.

Get in TouchLearn More About Our Services