DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-WCCX-J62J-R448: Fickling Security Bypass: Incomplete Monkey-Patching in Safety Hooks

#security #cve #cybersecurity #ghsa

Fickling Security Bypass: Incomplete Monkey-Patching in Safety Hooks

Vulnerability ID: GHSA-WCCX-J62J-R448
CVSS Score: 9.3
Published: 2026-03-04

A critical vulnerability exists in the fickling library's safety mechanism where the always_check_safety() function fails to intercept all standard pickle deserialization paths. Specifically, the library neglected to hook pickle.loads, _pickle.load, and _pickle.loads, allowing malicious pickle payloads to bypass analysis and execute arbitrary code even when safety controls are explicitly enabled.

TL;DR

Fickling versions <= 0.1.8 fail to protect pickle.loads and _pickle functions from malicious deserialization. Attackers can bypass safety checks by using these unhooked entry points. Fixed in version 0.1.9.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-693 (Protection Mechanism Failure)
  • Attack Vector: Network (deserialization of untrusted data)
  • CVSS v4.0: 9.3 (Critical)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available
  • Fix Version: 0.1.9

Affected Systems

  • Python applications using fickling for pickle safety
  • fickling: <= 0.1.8 (Fixed in: 0.1.9)

Code Analysis

Commit: 8c24c6e

Fix incomplete monkey-patching of pickle.loads and _pickle functions

--- a/fickling/hook.py
+++ b/fickling/hook.py
@@ -31,8 +31,11 @@ def load(self):

 def run_hook():
     """Replace pickle.load() and pickle.Unpickler by fickling's safe versions"""
-    # Hook the function
+    # Hook functions
     pickle.load = loader.load
+    _pickle.load = loader.load
+    pickle.loads = loader.loads
+    _pickle.loads = loader.loads
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Dependency Upgrade
  • Import Order Verification
  • Code Audit

Remediation Steps:

  1. Update fickling to version 0.1.9 using pip install --upgrade fickling.
  2. Verify that fickling.always_check_safety() is called immediately at application startup, before other modules import pickle.
  3. Audit the codebase for usage of from pickle import loads which might cache a reference to the unsafe function before the hook is applied.

References

Read the full report for GHSA-WCCX-J62J-R448 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)