DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-R48F-3986-4F9C: GHSA-R48F-3986-4F9C: Security Bypass via Incomplete Blocklist and AST Traversal Flaws in Fickling

#security #cve #cybersecurity #ghsa

GHSA-R48F-3986-4F9C: Security Bypass via Incomplete Blocklist and AST Traversal Flaws in Fickling

Vulnerability ID: GHSA-R48F-3986-4F9C
CVSS Score: 7.8
Published: 2026-03-13

The Trail of Bits fickling library, a static analyzer and decompiler for Python pickles, suffers from a security bypass vulnerability. Prior to version 0.1.10, the tool failed to include highly privileged standard library modules in its internal blocklist and improperly constructed Abstract Syntax Tree (AST) nodes during analysis. This allows an attacker to craft malicious pickle files that evade detection and subsequently execute arbitrary code or read sensitive files when deserialized by the victim.

TL;DR

Fickling versions prior to 0.1.10 fail to detect malicious Python pickles due to an incomplete module blocklist and a flaw in AST node traversal, allowing arbitrary code execution or arbitrary file read bypasses.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Security Bypass / Deserialization of Untrusted Data
  • CWE ID: CWE-184, CWE-502
  • CVSS v3.1 Score: 7.8 (High)
  • Affected Component: fickle.py (UNSAFE_IMPORTS), AST node initialization
  • Exploit Status: Proof of Concept (PoC) available
  • Attack Vector: Crafted Pickle Bytecode
  • Fix Version: 0.1.10

Affected Systems

  • trailofbits/fickling
  • Python Applications relying on Fickling for pickle security
  • fickling: < 0.1.10 (Fixed in: 0.1.10)

Code Analysis

Commit: 7f39d97

Fix unsafe import omissions and AST traversal logic flaws.

@@ -20,6 +20,7 @@ UNSAFE_IMPORTS = {
     "pkgutil",
     "zipimport",
+    "gc",
     "pdb",
     "runpy",
     "platform",
+    "linecache",
+    "difflib",
     "trace",
     "timeit",
 }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade fickling package to version 0.1.10.
  • Implement defense-in-depth by running deserialization tasks within strict sandbox environments (e.g., gVisor, seccomp-bpf).
  • Enforce cryptographic signing (HMAC) of all pickle files to guarantee provenance before analysis.
  • Migrate to safer serialization formats like JSON, Protobuf, or safetensors where dynamic execution is not required.

Remediation Steps:

  1. Identify all projects and virtual environments utilizing the fickling library.
  2. Update the dependency using pip install --upgrade fickling==0.1.10 or the equivalent package manager command.
  3. Review application logic to ensure fickling is not the sole security mechanism preventing untrusted deserialization.
  4. Audit system logs for unauthorized access to sensitive files (e.g., /etc/passwd) that may indicate prior exploitation via linecache.

References

Read the full report for GHSA-R48F-3986-4F9C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)