97 matches found
Fickling 代码问题漏洞
Fickling is an open source decompiler and static analyzer for Python by Trail of Bits. A code issue vulnerability exists in Fickling version 0.1.6 and earlier, which stems from failing to mark the runpy module as unsafe, which could lead to the execution of attacker-controlled code...
Fickling 代码问题漏洞
Fickling is an open source decompiler and static analyzer for Python by Trail of Bits. A code issue vulnerability exists in versions prior to Fickling 0.1.7 that stems from the static analyzer failing to flag high-risk modules, which could lead to bypassing security checks and executing arbitrary...
Fickling vulnerable to detection bypass due to "builtins" blindness
Fickling's assessment Fickling started emitting AST nodes for builtins imports in order to match them during analysis https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf. Original report Summary Fickling works by Pickle bytecode -- AST -- Security analysis...
GHSA-H4RM-MM56-XF63 Fickling vulnerable to detection bypass due to "builtins" blindness
Fickling's assessment Fickling started emitting AST nodes for builtins imports in order to match them during analysis https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf. Original report Summary Fickling works by Pickle bytecode -- AST -- Security analysis...
Deserialization of Untrusted Data
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unsafeimports function. An attacker can execute arbitrary code by supplying a malicious pickle that imports dangerous...
Deserialization of Untrusted Data
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can execute arbitrary code by supplying a malicious pickle payload that uses the pydoc and ctypes modules to bypass...
GHSA-5HVC-6WX8-MVV4 Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection
Fickling's assessment pydoc and ctypes were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1. Original report Summary Both ctypes and pydoc modules arent explictly blocked. Even other existing pickle scanning tools like...
Deserialization of Untrusted Data
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cProfile.run process. An attacker can execute arbitrary code by supplying a malicious pickle file that bypasses checks and...
Fickling Blocklist Bypass: cProfile.run()
Fickling's assessment cProfile was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43. Original report Description Summary Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because ...
GHSA-P523-JQ9W-64X9 Fickling Blocklist Bypass: cProfile.run()
Fickling's assessment cProfile was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43. Original report Description Summary Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because ...
Deserialization of Untrusted Data
Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the runpy module. An attacker can execute arbitrary code by supplying a malicious pickle file that uses runpy.runpath or...
Fickling has a bypass via runpy.run_path() and runpy.run_module()
Fickling's assessment runpy was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66. Original report Summary Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicio...
PT-2026-2229
Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7 Description Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe imports method within Fickling’s static analyzer does not identify several high-risk Python modules...
PT-2026-2232
Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7 Description Fickling, a Python pickling decompiler and static analyzer, is susceptible to a detection bypass due to a "builtins" blindness issue. This allows for potential circumvention of security measures...
PT-2026-2227
Name of the Vulnerable Software and Affected Versions Fickling versions up to and including 0.1.6 Description Fickling, a Python pickling decompiler and static analyzer, incorrectly classifies pickles utilizing the cProfile.run function as SUSPICIOUS instead of OVERTLY MALICIOUS. This...
PT-2026-2228
Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7 Description Fickling, a Python pickling decompiler and static analyzer, does not explicitly block the ctypes and pydoc modules in versions prior to 0.1.7. Combining these modules can lead to Remote Code Executi...
PT-2026-2226
Name of the Vulnerable Software and Affected Versions Fickling versions up to and including 0.1.6 Description Fickling, a Python pickling decompiler and static analyzer, incorrectly classifies pickles utilizing Python’s runpy.run path or runpy.run module as SUSPICIOUS instead of OVERTLY MALICIOUS...
CVE-2025-67747
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing marshal and types from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass...
CVE-2025-67748
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn being incorrectly flagged as LIKELYSAFE, and was fixed in version 0.1.6. This impact...
CVE-2025-67747
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing marshal and types from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass...