Home

Description

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-16 | Updated 2025-12-16 | Assigner GitHub_M




HIGH: 7.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-184: Incomplete List of Disallowed Inputs

CWE-502: Deserialization of Untrusted Data

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 0.1.6
affected

References

github.com/...ckling/security/advisories/GHSA-r7v6-mfhq-g3m2

github.com/trailofbits/fickling/pull/108

github.com/trailofbits/fickling/pull/187

cve.org (CVE-2025-67748)

nvd.nist.gov (CVE-2025-67748)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.