DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5HWF-RC88-82XM: CVE-2026-22609: Incomplete Blocklist in Fickling Pickle Analyzer Leads to Arbitrary Code Execution

#security #cve #cybersecurity

CVE-2026-22609: Incomplete Blocklist in Fickling Pickle Analyzer Leads to Arbitrary Code Execution

Vulnerability ID: GHSA-5HWF-RC88-82XM
CVSS Score: 8.9
Published: 2026-03-04

A critical logic vulnerability exists in Fickling versions prior to 0.1.7, allowing attackers to bypass the library's security analysis. Fickling, a static analysis tool designed to detect malicious Python pickle files, relied on an incomplete blocklist (denylist) of dangerous modules. The analysis engine failed to flag imports of high-risk standard library modules such as ctypes, runpy, and importlib. Consequently, an attacker can craft a malicious pickle file that executes arbitrary code while Fickling erroneously classifies the file as "LIKELY_SAFE." This effectively neutralizes the tool's purpose as a security gate for untrusted serialized data.

TL;DR

Fickling < 0.1.7 fails to detect malicious pickle files that utilize dangerous standard library modules like ctypes and runpy due to an incomplete hardcoded blocklist. This allows attackers to bypass the security scanner and achieve Arbitrary Code Execution (ACE) on systems relying on Fickling for validation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-184
  • CWE Name: Incomplete List of Disallowed Inputs
  • Attack Vector: Network / Local (File)
  • CVSS v4.0: 8.9 (High)
  • CVSS v3.1: 7.8 (High)
  • Exploit Status: PoC Available

Affected Systems

  • Fickling < 0.1.7
  • Machine Learning pipelines using Fickling for model validation
  • Python applications using Fickling to scan untrusted pickles
  • fickling: < 0.1.7 (Fixed in: 0.1.7)

Code Analysis

Commit: 9a2b3f8

Add runpy to unsafe imports

UNSAFE_IMPORTS = (..., 'runpy')
Enter fullscreen mode Exit fullscreen mode

Commit: 29d5545

Add importlib, code, and multiprocessing to unsafe imports

UNSAFE_IMPORTS = (..., 'importlib', 'code', 'multiprocessing')
Enter fullscreen mode Exit fullscreen mode

Commit: b793563

Add pydoc and ctypes to unsafe imports

UNSAFE_IMPORTS = (..., 'pydoc', 'ctypes')
Enter fullscreen mode Exit fullscreen mode

Commit: 3e52ae6

Check all components of package imports

if node.module and any(component in UNSAFE_IMPORTS for component in node.module.split('.')):
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Verified PoC in test suite demonstrating runpy bypass

Mitigation Strategies

  • Upgrade Fickling to version 0.1.7 or later immediately.
  • Transition from Pickle serialization to safer formats like Safetensors or ONNX for ML models.
  • Implement strict sandboxing for any service that deserializes untrusted data.
  • Use allowlists (whitelists) for imports if adhering to pickle, rather than relying solely on blocklists.

Remediation Steps:

  1. Run pip show fickling to check the installed version.
  2. If the version is below 0.1.7, execute pip install --upgrade fickling.
  3. Review any pickle files ingested during the vulnerable window.

References

Read the full report for GHSA-5HWF-RC88-82XM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)