GHSA-5CXW-W2XG-2M8H fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist

Our analysis As stated in the project's security policy, we also don't consider UnusedVariables bypasses to be security issues. We added several unsafe modules mentioned by the reporter in advisory comments to the blocklist...

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the UNSAFEIMPORTS list. An attacker can execute arbitrary system commands by crafting a malicious pickle file that imports...

GHSA-5HWF-RC88-82XM Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked

Assessment The missing pickle entrypoints pickle.loads, pickle.loads, and pickle.load were added to the hook https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7. Original report Summary fickling.alwayschecksafety does not hook all pickle entry points...

Improperly Implemented Security Check for Standard

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the alwayschecksafety function. An attacker can execute arbitrary code by supplying a malicious pickle payload...

GHSA-WCCX-J62J-R448 Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked

Assessment The missing pickle entrypoints pickle.loads, pickle.loads, and pickle.load were added to the hook https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7. Original report Summary fickling.alwayschecksafety does not hook all pickle entry points...

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the islikelysafe, checksafety, --check-safety, alwayschecksafety and checksafety interfaces. An attacker can execute arbitra...

GHSA-MHC9-48GJ-9GP3 Fickling has safety check bypass via REDUCE+BUILD opcode sequence

Assessment It is believed that the analysis pass works as intended, REDUCE and BUILD are not at fault here. The few potentially unsafe modules have been added to the blocklist https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400. Original report Summary All 5 of...

Fickling has safety check bypass via REDUCE+BUILD opcode sequence

Assessment It is believed that the analysis pass works as intended, REDUCE and BUILD are not at fault here. The few potentially unsafe modules have been added to the blocklist https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400. Original report Summary All 5 of...

Interpretation Conflict

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Interpretation Conflict via the OBJ opcode handling logic. An attacker can evade safety checks by triggering a code path where OBJ pushes an ast.Call onto the...

Fickling: OBJ opcode call invisibility bypasses all safety checks

Assessment The interpreter so it behaves closer to CPython when dealing with OBJ, NEWOBJ, and NEWOBJEX opcodes https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a. Original report Summary All 5 of fickling's safety interfaces -- islikelysafe, checksafety, CLI...

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the checksafety function. An attacker can trigger outbound TCP connections during deserialization by crafting malicious pick...

Insecure Deserialization

fickling is vulnerable to Insecure Deserialization. The vulnerability is due to Fickling not treating Python’s runpy module as unsafe, which allows an attacker to craft a malicious pickle using runpy.runpath or runpy.runmodule that is misclassified as suspicious rather than overtly malicious,...

CVE-2026-22612

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7...

CVE-2026-22607

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run is classified as SUSPICIOUS instead of OVERTLYMALICIOUS. If a user relies on...

CVE-2026-22606

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.runpath or runpy.runmodule is classified as SUSPICIOUS instead of OVERTLYMALICIOUS. If a user...

CVE-2026-22609

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...