EUVD-2025-205588

Picklescan Bypasses Unsafe Globals Check using pty.spawn...

EUVD-2025-205589

Picklescan missing detection when calling pty.spawn...

Picklescan missing detection when calling pty.spawn

Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to pty.spawn function in the reduce method. Then the victim attempts ...

CVE-2025-67748 Fickling has Code Injection vulnerability via pty.spawn()

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by pty missing from the block list of unsafe module imports. This led to unsafe pickles based on pty.spawn being incorrectly flagged as LIKELYSAFE, and was fixed in version 0.1.6. This impact...

Deserialization of Untrusted Data

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to incomplete detection of dangerous pickle constructs. The safety analysis fails to block certain unsafe module imports,...

GHSA-R7V6-MFHQ-G3M2 Fickling has Code Injection vulnerability via pty.spawn()

Fickling Assessment Based on the test case provided in the original report below, this bypass was caused by pty missing from our block list of unsafe module imports as previously documented in 108, rather than the unused variable heuristic. This led to unsafe pickles based on pty.spawn being...