Add security warning when RQ uses default pickle serializer

mitchh456 · claude · mitchh456 · commit 1486d1c78eb6 · 2026-03-31T19:33:31.000Z
Addresses CVE concern (CWE-502) where RQ's default pickle serializer can enable RCE via Redis. Scout's own code does not use pickle, but this warning helps users identify the risk in their RQ configuration. Closes #842 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/scout_apm/rq.py b/src/scout_apm/rq.py
@@ -57,6 +57,20 @@ def ensure_job_instrumented():
     job_instrumented = True
     Job.perform = wrap_perform(Job.perform)
 
+    try:
+        from rq.serializers import DefaultSerializer
+        import pickle
+
+        if getattr(DefaultSerializer, "dumps", None) is pickle.dumps:
+            logger.warning(
+                "RQ is using the default pickle serializer, which is vulnerable to "
+                "Remote Code Execution (RCE) via Redis (CWE-502). Consider switching "
+                "to a safer serializer like rq.serializers.JSONSerializer. "
+                "See https://github.com/rq/rq/issues/2389 for details."
+            )
+    except Exception:
+        pass
+
 
 @wrapt.decorator
 def wrap_perform(wrapped, instance, args, kwargs):
