DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5CXW-W2XG-2M8H: GHSA-5CXW-W2XG-2M8H: Security Bypass via Incomplete Denylist in Fickling Pickle Analyzer

#security #cve #cybersecurity #ghsa

GHSA-5CXW-W2XG-2M8H: Security Bypass via Incomplete Denylist in Fickling Pickle Analyzer

Vulnerability ID: GHSA-5CXW-W2XG-2M8H
CVSS Score: 7.5
Published: 2026-03-13

Fickling versions 0.1.9 and earlier contain a high-severity security bypass vulnerability in the safety analyzer. The failure to include the Python standard library's platform module in the application's denylist allows attackers to craft malicious pickle files that execute arbitrary file reads and restricted system commands while being incorrectly validated as safe.

TL;DR

Fickling <= 0.1.9 utilizes an incomplete denylist that omits the 'platform' module. Attackers can bypass safety checks and achieve arbitrary file read or restricted command execution by referencing internal platform functions in a crafted pickle file.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-184: Incomplete List of Disallowed Inputs
  • Attack Vector: Local/Remote via Malicious File Upload
  • Impact: Security Bypass, Arbitrary File Read, Restricted RCE
  • Exploit Status: Proof of Concept Available
  • CVSS: 7.5 (High)
  • Authentication Required: None

Affected Systems

  • Machine Learning Model Pipelines
  • Systems validating untrusted Python pickle files using Fickling <= 0.1.9
  • fickling: <= 0.1.9 (Fixed in: 0.1.10)

Code Analysis

Commit: 351ed4d

Add platform to UNSAFE_IMPORTS

Exploit Details

  • SynScan: Proof of concept demonstrating bypass utilizing GLOBAL and REDUCE opcodes to invoke platform._syscmd_file

Mitigation Strategies

  • Upgrade Fickling to version 0.1.10 or later
  • Implement binary scanning on stored .pkl files to detect platform module references
  • Transition security architecture from a module denylist to a strict allowlist mechanism

Remediation Steps:

  1. Identify all internal systems and pipelines depending on fickling for validation
  2. Update the fickling dependency to >= 0.1.10 in requirements.txt or equivalent package managers
  3. Scan existing artifact repositories for pickle files containing the string 'platform' near '_syscmd_file' or 'libc_ver'
  4. If strict validation is required, wrap the fickling implementation with an enforced allowlist for specific acceptable modules

References

Read the full report for GHSA-5CXW-W2XG-2M8H on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)