12 matches found
CVE-2025-71322
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan...
CVE-2025-71322
CVE-2025-71322 affects PickleScan prior to 0.0.33, where the unsafe-globals check omits pty.spawn. Attackers can craft pickle payloads using pty.spawn to bypass checks and achieve arbitrary code execution during file processing. The connected records confirm the root cause (missing pty.spawn in u...
EUVD-2025-210269
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan...
GHSA-HGRH-QX5J-JFWX Picklescan Bypasses Unsafe Globals Check using pty.spawn
Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library more specifically, of the pty.spawn function from PickleScan's list of unsafe globals. This vulnerabili...
Picklescan Bypasses Unsafe Globals Check using pty.spawn
Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library more specifically, of the pty.spawn function from PickleScan's list of unsafe globals. This vulnerabili...
GHSA-VQMV-47XG-9WPR Picklescan missing detection when calling pty.spawn
Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to pty.spawn function in the reduce method. Then the victim attempts ...
PYSEC-2025-113
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn being incorrectly flagged as LIKELYSAFE, and was fixed in version 0.1.6. This impact...
PYSEC-2025-113
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn being incorrectly flagged as LIKELYSAFE, and was fixed in version 0.1.6. This impact...
CVE-2025-67748 Fickling has Code Injection vulnerability via pty.spawn()
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn being incorrectly flagged as LIKELYSAFE, and was fixed in version 0.1.6. This impact...
CVE-2025-67748
Fickling CVE-2025-67748 describes a bypass in which the blocklist of unsafe imports did not include pty, allowing unsafe pickles using pty.spawn() to be misclassified as LIKELY_SAFE. The root cause is documented as the unsafe-imports check missing pty in version
PT-2025-51355
Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.6 Description Fickling, a Python pickling decompiler and static analyzer, contained a bypass related to missing unsafe module imports. Specifically, the pty module was not included in the block list, leading to...
Fickling has Code Injection vulnerability via pty.spawn()
Fickling Assessment Based on the test case provided in the original report below, this bypass was caused by pty missing from our block list of unsafe module imports as previously documented in 108, rather than the unused variable heuristic. This led to unsafe pickles based on pty.spawn being...